The Office of the Australian Information Commissioner recently released the Notifiable Data Breach report for July-December 2020. We’ve trawled through the report and collated some of the most interesting statistics into a curated version below. Read on to find out about the most noteworthy figures from this period and what we can deduce from the numbers.
The rising dominance of human-error in data breaches
Data breaches resulting from human error accounted for 38% or 204 of the total notifications from July to December last year. This is a substantial increase of 18% since last reporting period and a 6% increase year-over-year.
The rise in data breaches owed to human error may not come as a shock, seeing as a world-wide crisis has led to an unprecedented change in the way people work, communicate and live in general. With so many working from home and communication shifted into primarily online and virtual forms, this increase has largely been anticipated.
And while the growth in breaches due to human fault was anticipated, it should not be tolerated. 45% of these human-error-based data breaches involved sending personal information to the wrong recipient via email and 16% involved the unintended release or unauthorised disclosure of personal information. The unauthorised disclosure of personal information affected the most people per breach, with an average of over 20,000 people affected per incident. Further to that, failure to use BCC for group emails affected over 19,000 per breach.
As identified by these statistics, seemingly minor or insignificant actions, such as failing to BCC or check recipients for emails can directly result in a data breach that can affect tens of thousands of people. These numbers reflect the need for better email etiquette and enhanced email security practices. Email should be given more care considering that it has been the backbone of business communications for decades and will continue to be long into the future.
Malicious attacks slightly decrease, but remain the leading source of data breaches
Malicious attacks accounted for 58% or 310 notifications this period. This is a 1% decrease compared to the first half of 2020.
Around 70% of breaches involved what the OAIC calls ‘cyber incidents.’ The other 30% involved theft of paperwork or data storage device, social engineering and rogue employees. Over half of these cyber incidents involved malicious actors gaining access to accounts via stolen credentials. 25% of compromised credentials were due to email-based phishing, 8% owed to brute-forcing and 25% compromised by unknown methods.
While the report states that “the OAIC is yet to identify any information or incidents that conclusively prove a link” to the impacts of remote working, we can loosely infer that these statistics reflect the real state of email security throughout the pandemic. The consistently high numbers of compromised credentials via email-based phishing suggests that this facet of information security needs heightened attention.
With hybrid work-from-home models still lingering in 2021 and security perimeters being pushed outside of normal office confines, Australian organisations need to up awareness around the pressing issues of phishing, good password hygiene and proper information handling.
Other major types of malicious attack include ransomware, which comprised 17% of criminal activity and hacking, which comprised 14%.
We cannot directly correlate the minor decrease in data breaches caused by malicious attack to the impacts of remote working arrangements and the pandemic. However, we can take into consideration that the OAIC only reports on successful attacks/data breaches and therefore this is not a conclusive look at all criminal attempts against Australian businesses. Furthermore, the slight decrease can possibly be owed to the fact that office networks were more difficult to get access to, with a lack of laptops to breach servers through and less users on-premises.
Once again, healthcare remains the highest reporting industry sector, notifying 23% of all data breaches.
Human error was the most common source of data breaches in health, responsible for 57% of those reported Malicious attacks accounted for 41% of breaches in this industry.
Finance was the second highest reporting sector, notifying 15% of all data breaches.
66% of these data breaches were due to malicious attack and 28% caused by human error.
Perhaps most notably, the Australian Government entered into the top 5 sectors for the first time and surpassing the insurance industry.
They notified 6% or 33 of all breaches. 29 of these breaches were caused by human error with a majority of incidents stemming from personal information being sent to the wrong recipient via email.
The issue with deficient reporting
The OAIC noted that they encountered multiple instances of deficient reporting this period, where breached entities either failed to assess the incident in a timely manner or properly notify affected individuals. Some organisations provided individuals with ‘relatively generic advice’ or insufficient information regarding what had been exposed during the breach and therefore minimised the gravity of their situations. This further affects the individuals’ understanding of the risk posed to their privacy, as they did not receive clarification on what kinds of personal details had been exposed.
The reporting entities were required to send out an updated notification to the affected individuals, specifying the kinds of personal information involved in the breach and recommendations on how to best respond as well as mitigate potential harm arising from the situation.
Evidently, this is one such area that must receive immediate attention by Australian organisations covered by the Privacy Act 1988. This is not only for the sake of the business who must meet the OAIC’s reporting requirements, but for the sake of the affected individuals. This should receive careful consideration because delaying proper notification and falling short of reporting requirements adversely affects their ability to make informed decisions on their response and mitigation actions, and can therefore lead to increased damage.
Where will we be a year from now?
Australian Information Commissioner and Privacy Commissioner Angelene Falk stated that the OAIC “will continue to closely monitor compliance with the scheme and prioritise regulatory action where there are significant failings.” Hopefully, by the time the next report is released, we will see that Australian organisations have improved detection, assessment, notification and reporting processes around data breaches.
We hope to see uplifted security and handling around the personal information these entities hold. We encourage Australian businesses to seek out and implement security policies and technology to assist them with email security, and to further assist them with minimising breaches caused by human error.