During the period of 1 April 2019 to 30 June 2019, a total of 245 eligible data breaches were notified to the OAIC. One third of these was the result of human error, while almost two thirds were the result of a malicious or criminal attack.
The Office of the Australian Information Commissioner (OAIC) has released its latest quarterly Notifiable Data Breaches (NDB) report for the period 1 April 2019 to 30 June 2019. This is the first quarter of the second year since the NDB has been in operation. This report also makes a change in the OAIC’s reporting strategy going forward – these reports will now be rolled out every 6 months, rather than quarterly.
During the period, a total of 245 eligible data breaches were notified to the OAIC. One third of these was the result of human error (34%), while almost two thirds were the result of a malicious or criminal attack (62%). Just 4 percent were the result of a system fault.
These results have remained reasonably consistent across each quarterly report since the introduction of the NDB scheme in February 2018. The OAIC’s 12-month summary report revealed that out of the 964 incidents reported between 1 April 2018 and 31 March 2019, human error was attributed to 35 percent of incidents, whereas malicious and criminal attacks contributed to 60 percent of incidents overall.
While it remains a concern that the same trends continue each quarter, it should be noted that in many cases the incidents are limited in scale to a low volume of data subjects. Of the 245 breaches reported during the period 1 April 2019 to June 30 2019, 204 (83%) involved the personal data of less than 1000 individuals, and 62 percent involved 100 individuals or fewer. This suggests that organisations are putting effective technical controls in place to limit the accidental loss or destruction of data, but the majority of cases are likely then due to individual episodes of data loss or disclosure.
This indication is reinforced when taking a closer look at the data. For example, of the 84 human error incidents, 67 (80%) were as a result of an incorrect disclosure via various means, including email, mail, fax, verbal means and unintended public releases or publications. It can be inferred then that the most likely scenario involves the personal data of an individual or group of individuals being sent to the wrong recipient in error.
Of most concern is the growing trend in human-targeted malicious and criminal attacks. The vast majority of cyber incidents (79%) were linked to compromised credentials, and phishing attempts contributed to 43.81 percent of incidents in this category compared to just 29 percent during the same quarter last year. Additionally, brute-force attacks showed a marked decrease from 14 percent to 4.76 percent, indicating that attackers may be moving toward targeting employees, as a weaker link to gain access to an organisations personal data. Roughly one third (30.48%) of incidents involving compromised or stolen credentials were from unknown methods. When combined with the fact that human error consistently contributes to one third of all reported incidents, it becomes clear that people risk represents the company’s greatest weakness.
So what can organisations do to combat these challenges? We have identified the following measures to respond:
These measures are further reflected as key focus areas in the foreword to the OAIC’s 2019-20 Corporate Plan. Of particular note, the OAIC has identified it will focus on privacy education and awareness, accountability, privacy by design and default, building and maintaining trust and ongoing compliance with data security obligations, including uplifting of security posture.
KPMG Law has a team of experienced lawyers who can provide advice and support across all areas your organisation’s Privacy Risk Management Framework, including information lifecycle management, policy review and development, and breach preparation, response and remediation.