The Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches (NDB) Report (covering the period of January to June 2021) has identified ransomware and impersonation fraud as areas that organisations should focus on preventing.
The OAIC releases six-monthly NDB reports which capture notifications made by organisations under the NDB scheme. The NDB reports track the leading causes and sources of data breaches amongst reporting organisations and highlight emerging issues and areas for ongoing attention.
The NDB scheme
The NDB scheme requires organisations covered by the Privacy Act 1988 (Cth) (Privacy Act) to notify the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.
Key takeaways from the latest report
The report identifies malicious or criminal attacks as the leading cause of data breaches involving personal information in Australia (65% of all breaches).
The majority of breaches (66%) in the malicious or criminal attack category involved cyber incidents. Notably, in the cyber incident category, ransomware incidents increased by 24% since the previous Report (July-December 2020).
The industry sectors with the highest number of reported data breaches are: health, finance (including superannuation), legal, accounting and management, Australian government and insurance.
The Report highlights how the OAIC expects entities to prevent and respond to data breaches caused by both ransomware and impersonation fraud. Key points are summarised below:
Impersonation fraud involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location.
The OAIC expects entities to have controls and identity verification processes in place to minimise the risk of impersonation fraud, including:
- having robust identity verification processes in place and adapting them to emerging threats;
- training staff in identity verification processes and how to report and escalate fraud;
- implementing multifactor authentication; and
- automatically notifying customers when changes are made to their account or there are failed authentication attempts.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.
The OAIC notes that some entities have not been correctly assessing ransomware attacks as NDBs on the basis that there is limited evidence that data has been accessed.
The OAIC reminds organisations that an assessment of a suspected data breach under section 26WH of the Privacy Act is required if there are reasonable grounds to suspect that there may have been an eligible data breach, even if there are insufficient reasonable grounds to believe that an eligible data breach has occurred.
The OAIC expects entities to have appropriate measures in place to undertake a thorough assessment of whether a breach has occurred due to ransomware under section 26WH of the Privacy Act, including:
- having appropriate audit and access logs;
- using a backup system that is routinely tested for data integrity;
- having an incident response plan; and
- considering engaging a cyber security expert at an early stage to conduct a forensic analysis if a ransomware attack occurs.
We recommend that organisations carefully review their procedures and data breach response plans to ensure that they comply with the Privacy Act and OAIC guidelines.
If you have any queries or would like further information about this article, please contact:
M: 0408 446 013
T: (03) 6235 5161
Published: 20 October 2021