The Office of the Australian Information Commissioner (OAIC) has released quarterly statistics on Notifiable Data Breaches for April - June 2018. There were 242 notifications in this period, up from 63 in the January - March quarter (when the laws first came into effect).
Across all sectors, malicious or criminal attack accounted for a vast majority of data breach sources (59%), followed by human error (36%) and the remaining 5% is due to system fault.
Human Error
Human error remains a prominent source of data breaches, which covers a multitude of incidents (including, but not limited to):
- Unauthorised verbal disclosure
- Unauthorised disclosure through a failure to redact
- The unintended release or publication of information
- Personal information being sent to the wrong recipient via email, mail and "other" means
- Failure to use 'BCC' when sending an email
- Loss of paperwork or a data storage device
- Insecure or improper disposal of personal information
Breaking down the statistics, 61% of the 242 data breaches affected 100 (or fewer) individuals; conversely there were cumulatively three grand-scale incidents(/notifications sent) which impacted 50 001 up to 10 million individuals.
By notification (across all sectors), 89% of data breaches in this quarter involved the breach of contact Information - email, home address and phone number. Sensitive information involving health, financial, tax file number (TFN) come in well below this number. 39% of the 242 data breaches were of identity information, which is used to confirm an individual's identity, such as passport or driver's license number or Medicare number. These government-related identifiers are considered to be highly sensitive. Other sensitive information can include sexual orientation, political or religious views.
Malicious or Criminal Attacks
By far the most significant source of data breaches for the quarter, "cyber incidents" are a leading cause of notifications - with 97 in total for the quarter. Theft of paperwork or storage device (31) comes in second, with rogue employee/insider threat and social engineering/impersonation coming in with 7 reports each.
Broken down further, cyber threats which include but are not limited to:
- Phishing - using compromised credentials
- Brute-force attack - using compromised credentials
- Compromised or stolen credentials (method unknown)
- Malware
- Ransomware
- Hacking (other means)
The majority of cyber incidents were linked to the compromise of credentials through phishing (29 per cent), brute-force attacks (14 per cent) or by unknown methods (34 per cent).
System Error
The OAIC have defined "system faults" as "a business or technology process error not caused by direct human error." These are narrowed down into two key areas; unintended access and unintended release or publication. There were a total of 12 system fault notifications sen in this quarter, 5 for unintended access and 7 for unintended release or publication. The latter includes (but not limited to) publication via website/google, or publication in an inadequately secure environment (e.g. the 2016 red cross data breach).
By Sector
The Notifiable Data Breach Act applies to Australian Businesses, and businesses who process the data of Australian citizens. Of the 242 data breaches reported in the April - June quarter, there were some high numbers reported within certain industries:
Sector | Number of Data Breaches Received |
Health Service Providers | 49 |
Finance | 36 |
Legal, Accounting and Management services | 20 |
Education | 19 |
Business and Professional associations | 15 |
Any breach of the recently publicised 'My Health Record' system is not included in these statistics, as these are subject to their own specific notification requirements under the My Health Records Act 2012.
The next report from the OAIC for the July - September quarter is due in October.