The second quarterly report has now been published for reportable data breaches in Australia, and more organisations seem to be getting onboard and meeting their reporting obligations. Below are the highlights from the report:
- Rise in Number of Reports and Industry Sectors
NDB’s (Notifiable Data Breaches) reported increased from 63 in Quarter 1 (January – March) to 242 in Quarter 2 (April- June), taking into account the scheme only came into effect on the 22nd of February, this rise is not unexpected. This quarter we also welcome Business and Professional Associations into the top five industry sectors with the most NDB’s and say goodbye to the Charites sector who have dropped out of the top five sectors with the most NDB’s. The top offender segments this quarter were Health (20%), Finance (15%) and Legal, Accounting & Management Services (8%).
- Source of Data Breach
This is where things get concerning, this quarter Malicious or criminal attacks (59%) accounted for the majority of NDB’s, followed by Human Error (36%) and System fault (5%). Human error and Malicious attacks remained the highest breach source.
Malicious attacks include theft of paperwork or storage devices (how do you dispose of your physical data?), insider threats including rogue employees and social engineering or impersonation, however the majority (97 NDB’s) were Cyber incidents.
The scary part of malicious attacks is that they “are” avoidable! 29% of Cyber incidents were caused by Phishing, I wonder if those affected had spam filters or had a systematic approach to user training? 34% had compromised or stolen credentials; if you are concerned about the security of your company and employee credentials, please reach out to Aliva for information on our Dark Web credential monitoring service.
Human Error again accounted for over 30% of NDB’s for the second consecutive quarter. The highest source of human error was personal information being sent (email) to the incorrect person (32 NDB). Although personal information being emailed to the incorrect person had the greatest number of breaches, the Loss of paperwork/data storage device on average affected the greatest number of People (1199).
- Summary and prevention
There were 12 breaches that affected more than 5,001 people and 23 breaches that affected 1,001 to 5,000 people. There were 149 breaches that affected 2 to 1,000 people. This report did not include data from breaches currently under investigation.
So, what is expected for the Report in Q3? It can be expected that the number of NDB’s will increase significantly as more and more businesses start to report breaches and take information security more seriously.
According to the Ponemon Institute, it takes 191 days on average for organisations to identify a data breach and 66 days on average to fully contain a data breach. Therefore, if organisations started looking for breaches when the law came into play (22/02/18), then we expect many will start finding them at the end of this quarter (September), approximately 190+ days from the introduction of data breach laws.
If you are concerned about preventing new or handling any current data breaches and improving the quality of your information Security posture, please contact Aliva for a discussion with our specialists.
For information about this report please see: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-april-30-june-2018#data-breach-notifications-from-all-industry-sectors.
By David Meister, Business Development Manager