Notifiable Data Breach Legislation
1 April to 30 June 2019 Report: Deliberate criminal attacks still behind most notifiable data breaches
The Office of the Australian Information Commissioner has released their latest “Notifiable Data Breaches Quarterly Statistics Report” with statistical information about notifications received under the Notifiable Data Breaches Scheme from 1 April to 30 June 2019[i].
The total number of data breach notifications received in the quarter was 245 which brings the total amount received in 2019 to 460, with the addition of the 215 received from January to the end of March 2019.
The largest source of data breaches for all sectors was a malicious or criminal attack (62 per cent) followed by human error (34 per cent) and system fault (4 per cent). Malicious or criminal attacks are deliberate acts designed to exploit system vulnerabilities.
Out of the total of 151 data breaches, 69.5 per cents were due to cyber incidents which include phishing, malware or ransomware, brute-force attacks or compromised or stolen credentials. Theft of paperwork or data storage devices was the cause of 14.5 per cent of breaches, and other sources included insider threats (8 per cent), and social engineering or impersonation (8 per cent).
What type of personal information are criminals targeting?
For 90 per cent of data breaches reported, contact information was the largest type of personal information involved, followed by financial details at 42 per cent. Other personal information involved in data breaches includes identity information (31 per cent), health information (27 per cent) and tax file numbers (16 per cent).
What industries are reporting the most data breaches?
The sector that reported the highest number of data breaches was Health Service Providers with 47 data breaches reported during the period. The Finance industry, including superannuation, reported 42 breaches followed by Legal, Accounting and Management services (24 breaches), Education (23 breaches) and Retail (15 breaches).
Human error continues to be an issue across all sectors and continues to be the primary cause of data breach in the private health sector (53 per cent). The error that has the most significant impact on the total number of individuals affected is ‘unauthorised disclosure’ with 9,479 individuals affected by this error.
Reducing human error continues to be the most significant challenge to organisations with the communication of data breach obligations and implementing response plans difficult as businesses adapt to the new regulations.
IPSI’s Notifiable Data Breach Scheme fact sheet highlights seven key actions must prioritise to reduce the risk of data breach. Download your copy here >> Notifiable Data Breach Scheme Fact Sheet.
[i] Office of the Australian Information Commissioner, ‘ Notifiable Data Breaches Quarterly Statistics Report: 1 April – 30 June 2019, accessed 17 September 2019 at https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019.pdf