The Office of the Australian Information Commissioner (OAIC) has released their quarterly report into notifiable data breaches. It’s important to note this is just the second report made by the OAIC since the Notifiable Data Breach (NDB) scheme came into effect in February this year.
During this reporting period, from April to June, 242 notifications were received by the OAIC with 36 percent attributed to human error and almost two-thirds apportioned to malicious attacks. Just one in 20 were the result of system faults.
There have been four full months of reporting since the NDB scheme came into place – the February reporting month only represents about two weeks. Since then we’ve seen the following in terms of numbers of breaches.
- March: 55
- April: 65
- May: 87
- June: 90
The biggest reported breach was most likely PageUp. Although the report anonymises the sources of the reports, it’s hard to imagine any other breach occurred that affected over a million Australians. But there were also two breaches involving between 50,000 and 100,000 records and nine of between 5,000 and 25,000 records.
More than a fifth of the reports involved the loss of a single data record.
Of the 242 notifications received, 216 involved contact information with 102 involving financial details, 94 involving identity information and 61 concerning health information.
The OAIC says ‘contact information’ includes data such as an individual’s home address, phone number or email address. ‘Identity information’ refers to information that is used to confirm an individual’s identity, such as passport number, driver’s licence number or other government identifiers.
Looking at human error, sending data to the wrong email recipient is the top reason for reported breaches. The largest source of attacks was cyber incidents such as phishing, malware, ransomware, brute-force attack, compromised or stolen credentials and hacking.
The sector that reported the most incidents was health service providers – something that should give us great pause given the government’s push of the My Health Record system.
Finance, Legal, Accounting & Management services, Education, and Business and Professional Associations rounded out the top five sectors.
You can read the full report which breaks down each sector further looking at the types of breaches and hope they affect specific industry sectors.