On the 30th of October, The Office of the Australian Information Commissioner (OAIC) released quarterly statistics on Notifiable Data Breaches for July – September 2018.
A total of 245 data breach notifications were recorded during the quarter. The scale of personal information breached varies from contact information (85%) to health information (54%).
Across all sectors, 57% of data breaches occurred due to malicious or criminal attacks while human error was the cause of 37% and system faults caused 6% of data breaches recorded in the quarter.
The number of recorded malicious or criminal attacks declined by 2% from the April – June quarter, while human error and system faults rose by 1%.
Human Error
Human error is a large factor that is oftentimes difficult to control. According to the data breach report, human error includes, but is not limited to:
- Personal information sent to the wrong recipient (email)
- Unauthorised disclosure
- Failure to BCC when sending email
- Loss of paperwork/data storage device
When analysing all sectors, sending personal information to the wrong recipient via email accounted to 12% of all data breaches during the July - September quarter. Despite only recording 4 notifications, unauthorised disclosure (failure to redact personal information) affected an average of 633 individuals per breach.
Malicious or Criminal Attacks
As previously noted in the April – June report, malicious or criminal attacks were the main source of breach notifications – with 139 in total for the quarter (57% of all notifications). Within those breaches, cyber attacks stood at the top of the leader board with 96 reported notifications. Other breaches included theft of paperwork or data storage device with 17 notifications, rogue employee/insider threat with 14 notifications and social engineering/impersonation with 12 notifications in total for the quarter.
Cyber attacks recorded during the quarter include but are not limited to:
- Phishing (Compromised credentials)
- Hacking
- Ransomware
- Malware
- Compromised or stole credentials (method unknown)
- Brute-force attack (compromised credentials)
Regarding cyber attacks, phishing recorded 48 notifications (50% of all cyber incidents) in which a human factor was required e.g. clicking on a phishing attachment within an email.
System Error
According to the report, system faults accounted for 6% of data breaches during the quarter.
Unintended release or publication recorded a total of 9 data breaches which is described as, "... the disclosure of personal information on a website due to a bug in the web code, or a machine fault that results in a document containing personal information being sent to the wrong person."
While 5 breaches were caused by unintended access to personal information as a result of a system fault. Which the report describes as “…a coding error which allows an individual to access another individual’s online account.”
Sectors
The Notifiable Data Breach Report outlined the number of notifications received within specific industries:
| Top 5 Industry Sectors | Data Breaches Received |
| Health service providers | 45 |
| Finance (incl. superannuation) | 35 |
| Legal, accounting & management services | 34 |
| Education | 16 |
| Personal services | 13 |
What does this mean for you?
Avoiding potential data breaches is front-of-mind for many organisations and MSPs responsible for securing their infrastructure. So what can you do to keep your customers' data secure?
- Download the Disaster Preparedness Checklist in our Digital Marketing Toolbox and explore with your customer or prospect any potential holes in their current setup.
- Talk to our team about Probax Managed Services, which has been designed to provide MSPs with the extra firepower of Probax's highly skilled backup and disaster recovery experts who will ensure solutions are proactively monitored, configured and regularly tested. Learn more about our wide range of solutions here.
- Are your customers following the 3, 2, 1 rule? (3 copies of the data, at least 2 different mediums, and one offsite)
- Maintain familiarity with the Notifiable Data Breaches Act (applicable for Australian MSPs only).
- Find out how you can reduce the impact of data breaches on your business by contacting one of our team members or searching for solutions in the Knowledge Base.
Read the full July - September report here.
The next report from the OAIC for the October - December quarter is due in January 2019.
