Causes of data breaches, industries most impacted and regulator comments following the first 8 months of the NDB Scheme
Trends are emerging from the quarterly statistical data reports released by the Office of the Australian Information Commissioner (OAIC) on data breach notifications received in the first 8 months since the notifiable data breach (NDB) scheme under the Privacy Act commenced.
The OAIC’s most recent report provides data on 245 breaches notified in the July to September 2018 quarter (Q3 Report). In the April to June 2018 quarter, 242 breaches were notified (Q2 Report). We are now starting to see trends of the major causes of notifiable breaches, the industries most affected and simple steps all businesses should be taking that will help reduce their cyber and privacy risk.
Causes of notified breaches
The causes of breaches notified in the July to September 2018 quarter were:
- 37% due to human error (36% in the previous quarter)
- 57% due to malicious or criminal attack (59% in the previous quarter)
- 6% due to system fault (5% in the previous quarter)
The majority of the notified breaches were the result of malicious or criminal attack (including phishing, malware, ransomware and social engineering, among other methods). More than half of these were the result of compromised or stolen credentials as a result of phishing attacks, brute force attacks or other unknown methods. Many of these attacks would have required some action with an unintended consequence by an employee of or individual associated with the impacted businesses (for example, clicking a link in a malicious email).
A significant number of breaches were also attributable purely to human error. This includes the disclosure of personal information by sending emails, mail or faxes to the wrong recipients, the failure to use BCC when sending emails, unintentionally releasing or disclosing publications, the loss of physical devices or papers.
While there will always be some level of human error, the above statistics demonstrate the need for continuous privacy and cyber security training to increase the broader understanding of the risks businesses and individuals face and the simple steps individuals can take as part of their day to day function to reduce cyber and privacy risk.
This includes, for example, being aware of key risk factors associated with phishing or social engineering, password best practice and confirming the recipients of any communications before they are transmitted or sent. Implementing policies and procedures to assist employees reduce cyber and privacy risk is therefore a critical area for business focus.
Most affected industries
The industry sectors that notified the most breaches in the last two quarters were:
- health service providers
- legal, accounting and management services
A variety of reasons could explain why these industries have made the most breach notifications, including that they likely handle a greater volume of personal information in their day to day function, the value of the personal information they hold and the ability of malicious actors to leverage personal information held by these industries for financial gain.
Interestingly, despite that the majority of notified breaches were the result of malicious or criminal attack, less than half of the breaches notified by the health service provider and finance sectors have been the result of malicious or criminal attack.
This indicates that, while businesses in these industries need to be particularly conscious of their information security and handling procedures, all businesses across all industries need to take information handling and security seriously. Malicious attackers are likely to target and proceed with attacks on businesses that allow them to quickly and easily achieve a financial gain.
OAIC comments on assessing the need to notify
The OAIC has recently indicated that a number of notifications received may not have been necessary under the NDB scheme. In this respect, the OAIC does not want businesses to take a ‘better safe than sorry’ approach to the notification of breaches.
Instead, it would like to see businesses properly grapple with the tests set out in the Privacy Act regarding notification, particularly when assessing whether:
- a particular incident that resulted in unauthorised loss or disclosure of personal information was likely to result in serious harm; and
- the likelihood of serious harm cannot be remedied by the business within a short period of the incident that resulted in unauthorised loss or disclosure.
For example, an incident where personal information was inadvertently sent by email to the wrong recipient but where a sender took steps to have the recipient delete the email would not on its face need to be notified.
The OAIC emphasised the importance of businesses properly documenting the steps taken to investigate an incident, as well as the methodology and reasoning behind any decision to notify a breach.
In this context, the OAIC has cautioned against the onset of data breach notification fatigue and wants to ensure that notifications of serious breaches are responded to appropriately by businesses and affected individuals alike.