Under the Notifiable Data Breaches Scheme which commenced on 22 February 2018, organisations are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in relation to data breaches where there are reasonable grounds to believe that an eligible data breach has occurred (that is, a data breach that is likely to result in serious harm).
We now have a better idea of how the Scheme is working, and the nature of the causes of data breaches, with the release by the OAIC on 31 July 2018 of the second quarterly report on data breach notifications the OAIC has received under the Notifiable Data Breaches Scheme. It covers the period between 1 April 2018 and 30 June 2018, the first full period for the Scheme and thus the first full period for which information about data breach notifications has been available.
During that period, a total of 242 data breach notifications to the OAIC were made, which is an average of more than two notifications per day (reports of a breach that involved multiple entities were counted as a single notification). What will be of most interest to entities subject to the Scheme (and indeed, anyone interested in protecting privacy) will be the kinds of information involved, the causes of the breaches, and what they suggest are the key areas of concern in improving their own data security.
Kinds of information involved in the notified data breaches
The kinds of personal information involved by percentage of notifications were:
- Contact information (89%);
- Financial details (42%);
- Identity information (39%);
- Health information (25%);
- Tax File Number (19%); and
- Other sensitive information (8%).
When organisations use the OAIC's form to notify a data breach, they can select more than one kind of personal information that was involved in the data breach. The statistics indicate that a data breach typically involves more than one kind of personal information.
Causes of the notified data breaches
The main causes of data breaches notified to the OAIC were:
Malicious or criminal attacks (59% of notified data breaches). Malicious or criminal attacks are different from human error breaches as they are deliberately crafted to exploit known vulnerabilities for financial or other gain. These attacks included:
- cyber incidents such as compromised or stolen credentials, brute-force attack, phishing, malware and ransomware and hacking;
- theft of paperwork or storage devices;
- social engineering/impersonation. This is an attack that relies on human interaction to manipulate people into breaking normal security procedures and best practices to gain access to systems and network or physical locations; and
- attacks by employees or insiders against the interest of the employer or entity.
Human error (36% of notified data breaches). Human error is an unintended action by an individual directly resulting in a data breach. Kinds of human error included:
- failures to use the "blind carbon copy" (BCC) function to send a group email. This impacted an average of 571 affected individuals per notified breach;
- loss of paperwork or storage devices (the OAIC provides an example of leaving a folder or a laptop on a bus). This type of human error impacted the largest number of individuals, an average of 1199 affected individuals per notification;
- sending personal information to the wrong recipient (whether by mail, email, fax or other means such as uploading to a web portal). This generally impacted a smaller number of individuals.
- insecure disposal (OAIC provides an example of using a public rubbish bin instead of a secure document disposal bin to dispose of customer records); and
- unauthorised disclosure of personal information. This includes an unauthorised release or publication of personal information whether in writing or orally, and a failure to redact personal information before disclosing it.
System faults not caused by direct human error (5% of notified data breaches). This comprised of unintended access to and unintended release or publication of personal information as a result of a system fault.
Top five industry sectors that notified data breaches
During the reporting period, the largest number of notified data breaches were received from health service providers, followed by organisations in the finance industry, legal, accounting and management services industry, education sector, and business and professional association sector.
Key lessons from the Notifiable Data Breaches second quarterly report
Given the findings of the report, entities should be reviewing two areas to ensure they do not suffer a breach.
First, they should look at their day-to-day operational processes and procedures to minimise the occurrence or reoccurrence of data breaches from causes such as human error and cyber security incidents. For example, organisations could review email and communication protocols to attempt to minimise incidents where personal information is sent to the wrong recipient or review information security measures to prevent cyber incidents from occurring.
Secondly, they should review their internal data breach management policies to ensure they have adequate processes to identify breaches, including those with the characteristics described above.