On the 30th of October, The Office of the Australian Information Commissioner (OAIC) released quarterly statistics on Notifiable Data Breaches for July – September 2018.
A total of 245 data breach notifications were recorded during the quarter. The scale of personal information breached varies from contact information (85%) to health information (54%).
Across all sectors, 57% of data breaches occurred due to malicious or criminal attacks while human error was the cause of 37% and system faults caused 6% of data breaches recorded in the quarter.
The number of recorded malicious or criminal attacks declined by 2% from the April – June quarter, while human error and system faults rose by 1%.
Human error is a large factor that is oftentimes difficult to control. According to the data breach report, human error includes, but is not limited to:
When analysing all sectors, sending personal information to the wrong recipient via email accounted to 12% of all data breaches during the July - September quarter. Despite only recording 4 notifications, unauthorised disclosure (failure to redact personal information) affected an average of 633 individuals per breach.
As previously noted in the April – June report, malicious or criminal attacks were the main source of breach notifications – with 139 in total for the quarter (57% of all notifications). Within those breaches, cyber attacks stood at the top of the leader board with 96 reported notifications. Other breaches included theft of paperwork or data storage device with 17 notifications, rogue employee/insider threat with 14 notifications and social engineering/impersonation with 12 notifications in total for the quarter.
Cyber attacks recorded during the quarter include but are not limited to:
Regarding cyber attacks, phishing recorded 48 notifications (50% of all cyber incidents) in which a human factor was required e.g. clicking on a phishing attachment within an email.
According to the report, system faults accounted for 6% of data breaches during the quarter.
Unintended release or publication recorded a total of 9 data breaches which is described as, "... the disclosure of personal information on a website due to a bug in the web code, or a machine fault that results in a document containing personal information being sent to the wrong person."
While 5 breaches were caused by unintended access to personal information as a result of a system fault. Which the report describes as “…a coding error which allows an individual to access another individual’s online account.”
The Notifiable Data Breach Report outlined the number of notifications received within specific industries:
| Top 5 Industry Sectors | Data Breaches Received |
| Health service providers | 45 |
| Finance (incl. superannuation) | 35 |
| Legal, accounting & management services | 34 |
| Education | 16 |
| Personal services | 13 |
Avoiding potential data breaches is front-of-mind for many organisations and MSPs responsible for securing their infrastructure. So what can you do to keep your customers' data secure?
Read the full July - September report here.
The next report from the OAIC for the October - December quarter is due in January 2019.