The Office of the Australian Information Commissioner (OAIC) has released its latest quarterly Notifiable Data Breaches (NDB) report for the period 1 April 2019 to 30 June 2019. This is the first quarter of the second year since the NDB has been in operation. This report also makes a change in the OAIC’s reporting strategy going forward – these reports will now be rolled out every 6 months, rather than quarterly.

During the period, a total of 245 eligible data breaches were notified to the OAIC. One third of these was the result of human error (34%), while almost two thirds were the result of a malicious or criminal attack (62%). Just 4 percent were the result of a system fault.

These results have remained reasonably consistent across each quarterly report since the introduction of the NDB scheme in February 2018. The OAIC’s 12-month summary report revealed that out of the 964 incidents reported between 1 April 2018 and 31 March 2019, human error was attributed to 35 percent of incidents, whereas malicious and criminal attacks contributed to 60 percent of incidents overall.

While it remains a concern that the same trends continue each quarter, it should be noted that in many cases the incidents are limited in scale to a low volume of data subjects. Of the 245 breaches reported during the period 1 April 2019 to June 30 2019, 204 (83%) involved the personal data of less than 1000 individuals, and 62 percent involved 100 individuals or fewer. This suggests that organisations are putting effective technical controls in place to limit the accidental loss or destruction of data, but the majority of cases are likely then due to individual episodes of data loss or disclosure.

This indication is reinforced when taking a closer look at the data. For example, of the 84 human error incidents, 67 (80%) were as a result of an incorrect disclosure via various means, including email, mail, fax, verbal means and unintended public releases or publications. It can be inferred then that the most likely scenario involves the personal data of an individual or group of individuals being sent to the wrong recipient in error.

Of most concern is the growing trend in human-targeted malicious and criminal attacks. The vast majority of cyber incidents (79%) were linked to compromised credentials, and phishing attempts contributed to 43.81 percent of incidents in this category compared to just 29 percent during the same quarter last year. Additionally, brute-force attacks showed a marked decrease from 14 percent to 4.76 percent, indicating that attackers may be moving toward targeting employees, as a weaker link to gain access to an organisations personal data. Roughly one third (30.48%) of incidents involving compromised or stolen credentials were from unknown methods. When combined with the fact that human error consistently contributes to one third of all reported incidents, it becomes clear that people risk represents the company’s greatest weakness.

So what can organisations do to combat these challenges? We have identified the following measures to respond:

1. Investing in good social engineering training will help staff to better recognise phishing attempts and know how to report and respond to them promptly.
2. Greater password and credentials management protocols and monitoring will help to reduce the amount of data being compromised by unknown methods.
3. Investing in robust Privacy by Design methodologies: human error through incorrect disclosures (and in particular, by email) continues to be one of the leading causes of data breaches. Organisations should first review and understand the most common causes of breaches they have experienced and procedures to counteract the known individual behaviours that contribute to them (for example, disabling Outlook’s auto-fill feature can help reduce the amount of incorrect email disclosures). Often the data that has been compromised is also data that may not always have been necessary for organisations to collect or continue to hold. Implementing robust data collection, retention and minimisation policies underpinned by Privacy by Design principles will help to mitigate the risk of data exposure should access be compromised.

These measures are further reflected as key focus areas in the foreword to the OAIC’s 2019-20 Corporate Plan. Of particular note, the OAIC has identified it will focus on privacy education and awareness, accountability, privacy by design and default, building and maintaining trust and ongoing compliance with data security obligations, including uplifting of security posture.

KPMG Law has a team of experienced lawyers who can provide advice and support across all areas your organisation’s Privacy Risk Management Framework, including information lifecycle management, policy review and development, and breach preparation, response and remediation.