The latest Notifiable Data Breaches (NDB) Report from the Office of the Australian Information Commissioner (OAIC) has found that malicious or criminal attacks were the leading cause of data breaches reported to the OAIC between 1 January 2020 and 30 June 2020.
The OAIC releases six-monthly NDB reports which capture notifications made by organisations under the NDB scheme. The NDB Scheme requires organisations covered by the Privacy Act 1988 (Cth) to notify the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved. The NDB reports track the leading causes and sources of data breaches amongst reporting organisations and highlight emerging issues and areas for ongoing attention.
Released on 31 July 2020, the latest report identifies malicious or criminal attacks (including cyber incidents and social engineering/impersonation) as the leading cause of data breaches involving personal information in Australia (61% of all breaches). Notably, the OAIC found that the number of data breach notifications attributed to ransomware attacks increased by more than 150% compared to the previous six months. Ransomware can be installed on a system through a malicious email attachment, a fraudulent software download or by visiting a malicious webpage.
The report found that human error was the second largest source of data breach, accounting for 34% of all breaches during the six-month period. This was a 7% increase from the previous reporting period. Examples of human error related breaches included staff sending personal information to the wrong recipient and unintentionally releasing or publishing personal information.
The industry sectors with the most data breaches were the health sector followed by the finance sector, then education. Contact information is the personal information most likely to be subject to a data breach.
You can access the full NDB Report for the January-June 2020 period on the OAIC website.
Recommendations for organisations
The release of the NDB Report is a timely reminder for organisations to protect personal information from serious data breaches by taking action such as:
- ensuring you have the capacity to detect and respond quickly to data breaches;
- having a data breach response plan in place;
- understanding how and where personal information is stored on your network, and consider additional measures to protect data such as network segmentation, robust access controls and encryption;
- addressing privacy impacts of any changed business practices, including in response to COVID-19; and
- taking steps to prevent human error breaches, including training staff who handle personal information.
If you have any queries or would like further information about this article, please contact:
M: 0408 446 013
T: (03) 6235 5161
Published: 12 August 2020