A new report from the Office of the Australian Information Commissioner (OAIC) reveals that phishing was the most criminal attack suffered by Australian organizations in Q3 2018.
For its “Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018,” OAIC received 245 data breach notifications—just three more notifications than it collected during the previous quarter. The majority (63 percent) of those disclosed incidents compromised the personal information of 100 individuals or fewer, with breaches affecting no more than 10 people accounting for 41 percent of the total. Even so, a few incidents were larger in scale; two exposed the data of upwards of 250,000 people.
OAIC analyzed the reported breaches and determined that just over a third (37 percent) of incidents involved human error. Of those, the most common mistake involved sending personal information to the wrong email recipient. By contrast, system fault—including unintended access and unintended release of publication—was the data breach source in just six percent of cases.
For the remaining 57 percent of breaches, a malicious or criminal attack was responsible. Phishing made up the largest share of this data breach source category, for it took place in half of the malicious or criminal attacks. The second most prevalent attack source, compromised or stolen credentials (method unknown), followed at 19 percent.
From an industry perspective, some sectors suffered more data breaches than others. Healthcare organizations, for example, submitted 45 notifications, or 18 percent of the total number of reports received during the quarter. Seventy-one percent of the breaches in the sector affected fewer than 100 people. Just over a third of those reported incidents affected only one person. However, the sector did experience one incident that compromised the personal information of between 10,000 and 25,000 people.
This finding comes at a time when Australians are increasingly concerned about their health-related information. In early November, The Sydney Morning Herald reported how the opt-out helpline for My Health Record, Australia’s portal for helping people keep track of their medical data, was back online after a system failure as consumers clamored to remove themselves from their service. This rush came just a few months after a NEWS Corp investigation identified nine data breaches involving My Health Record.
Each quarter, OAIC publishes a report analyzing the reports it received under the Notifiable Data Breaches (NDB) scheme. This framework requires agencies and organizations regulated under the Australian Privacy Act 1988 to notify affected individuals and the OAIC when a data breach might cause serious harm to affected individuals.
Organizations can protect themselves against a breach by following the OAIC’s Guide to securing personal information. In particular, companies should encrypt their stored data and regularly review not only what encryption methods they use but also where they should be employing them. Additionally, companies should use key management to store their encryption keys in a safe place as well as leverage identity and access management (IAM) to control who can interact with their systems and sensitive data.
Learn more about the NDB scheme and applicable security measures to address the act’s compliance requirements.