OAIC’s latest report reveals 446 data breach notifications
The OAIC’s latest Notifiable Data Breaches Report reveals that the organisation has received 446 data breach notifications from January to June of this year.
Out of the 446 data breaches, 43 per cent came from cyber security incidents. The OAIC also reported that data breaches caused by ransomware incidents increased by 24%, rising to 46 from the last reported 37 notifications.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the increase in ransomware incidents was cause for concern due to the difficulties in assessing such breaches.
“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.
“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.”
Because of the increase in ransomware attacks, the OAIC advises entities to have appropriate internal practices, procedures and systems that will assess and respond to data breaches.
The OAIC also advises that entities should have a clear understanding of how and where personal information is stored across their network.
Aside from data breaches caused by ransomware attacks, there was also a number of breaches that were caused by impersonation fraud, where a malicious actor impersonates another individual to gain access to an account, system, network or physical location.
“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.
“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.”
The report recommends that entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.
The Notifiable Data Breaches Report also revealed the following key findings:
- Malicious or criminal attacks account for 65% of the data breach notifications.
- Data breaches resulting from human error went down from 203 to 134.
- The health sector remains the highest reporting industry sector, followed by the finance sector.
- The number of notifications varied across the reporting period, ranging from 45 in January to 102 in March.
- 91% involved contact information, making it the most common type of personal information involved in data breaches.
- 93% of the breaches affected 5,000 individuals or fewer. Meanwhile, 65% affected 100 individuals or fewer and 44% affected between 1 and 10 individuals.
- 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.
Although human error breaches decreased in the latest report, entities, particularly the Australian Government, need to remain alert to this risk.
“Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example,” Commissioner Falk said.
“Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”
SOURCE: OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER MEDIA RELEASE