Notifiable Data Breach report to June 2020

The Office of the Australian Information Commissioner (OAIC) have released their Notifiable Data Breaches (NDB) Report for January to June 2020 and it makes for an interesting read.

An increase in data breaches caused by ransomware attacks and impersonation is among the key findings in the latest report, the report also shows a slight fall in the number of eligible breaches reported (518) against the previous six-month period (532), but an increase of 16% compared to the same period last year.

Malicious or criminal attacks including cyber incidents top the list as the leading cause of data breaches involving personal information in Australia.

The report shows the number of data breaches caused by ransomware rose from 13 in the previous six-month period to 33 between January and June.

OAIC stated that they are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, leaving organisations unable to access systems due to these attacks, in addition to dealing with the data potentially being sold on the Dark Web.

Approximately 77% of notifying entities were able to identify a breach within 30 days of it occurring, however, in 47 instances the entity took between 61 and 365 days to become aware and assess that a data breach had occurred, while 14 entities took more than a year. A very sobering statistic when you think about the amount of damage someone could do sitting in your network that long.

“Organisations must be able to detect and respond rapidly to data breaches to contain, assess and notify about the potential for serious harm,” Commissioner Falk from OAIC said.
“A number of notifications also fell short of the standards required, in failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm.
“In these cases, we required the organisation to re-issue the notification. We will continue to closely monitor compliance with assessment and notification obligations as part of our system of oversight.”

In other findings:

  • The insurance industry entered the top five sectors for the first time since the report began, notifying 35 breaches
  • Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors.
  • The number of notifications resulting from social engineering or impersonation has increased by 47% during the reporting period to 50 data breaches
  • Actions taken by a rogue employee or insider threat accounted for 25 notifications, and theft of paperwork or storage devices resulted in 24 notifications.

The number of notifications per month varied widely across the reporting period, ranging from 63 in January to 124 in May — the highest number of data breaches reported in a month since the NDB scheme began in February 2018.

While the increase coincided with widespread changes in working arrangements due to the COVID-19 outbreak, Commissioner Falk said the OAIC did not believe the increase was due to the change in business practices.

“The report shows that more human error data breaches were reported in May, accounting for 39% of notifications that month, compared to an average of 34% across the reporting period,” she said.

“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.

“Organisations must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.”

As a guideline, the OAIC has provided some steps and strategies which may be reasonable to take to ensure your organisation secures its data inline with requirements. These cover the following 9 key areas:

  •   Governance, culture and training
  •   Internal practices, procedures and systems
  •   ICT security
  •   Access security
  •   Third party providers (including cloud computing)
  •   Data breaches
  •   Physical security
  •   Destruction and de-identification
  •   Standards

FortiTech has worked with a number of businesses to secure their data in the fight against cyber crime and for compliance requirements, we utilise a multi-prong approach including staff education, data security, firewalls and multi-factor authentication.  If you want to ensure your data is safe and avoid the potential headache of a data breach then give us a call on 1300 778 078 or email to find out how we can help fortify your technology.