The Office of the Australian Information Commissioner (OAIC) has released its biannual statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme. The NDB scheme requires any organisation or government agency subject to the Privacy Act 1988 (Cth) to notify both affected individuals and the OAIC whenever a data breach is likely to result in serious harm to individual whose personal information is the subject of the data breach.
The OAIC's latest report on the NDB scheme captures notifications made under the NDB scheme for the period between 1 January and 30 June 2021 and summarises the key statistics.
Key findings from the report include:
- 446 breaches were notified under the NDB scheme in the relevant period, which is a decrease of 16% from the previous period of July to December 2020 and an 11% decrease compared to January to June 2020.
- Malicious or criminal attacks remain the primary source of data breaches, making up 65% of total notifications. The number of these breaches has decreased slightly from the previous reporting period, but increased as a proportion of the total number of breaches.
- Data breaches resulting from human error represented 30% of notifications, which was a decrease from 203 notifications in the previous period to 134. However, entities should still be cognisant of the risk posed by human error. For some industry sectors human error was the cause of 74% of its data breaches. A common example of a human error breach is sending personal information to the wrong recipient via email.
- Health service providers were the highest reporting industry sector (at 19%), followed by finance, then legal, accounting and management services, the Australian government, and insurance.
- The vast majority (93%) of data breaches affected 5,000 individuals or fewer, with 65% of breaches affecting 100 individuals or fewer.
- Contact information was the most common type of personal information affected by data breaches, representing 91% of data breaches notified under the NDB scheme. Contact information includes details like an individual’s name, home address, phone number or email address.
Of particular note is the attention drawn by the OAIC to the issue of impersonation fraud. The report notes that there were a number of data breaches arising from this activity.
The report recommends the use of controls and identity verification processes to minimise the risk of impersonation fraud but notes that the growth of personal information data on the dark web has meant that malicious actors increasingly hold sufficient information to impersonate account holders. Accordingly, the OAIC recommends that entities should regularly review their security measures and consider:
- having robust identity verification processes in place and adapting them to emerging impersonation fraud threats;
- training staff in identity verification processes and how to report and escalate fraud;
- implementing multifactor authentication; and
- automatically notifying customers when changes are made to their account or there are failed authentication attempts.
Of further note is the data reported by the OAIC that 43% of data breaches resulted from cyber security incidents. Moreover, cyber incidents accounted for 66% of malicious or criminal attacks (the remaining breaches are attributable to conduct including impersonation, actions of a rogue employee, or theft of paperwork). The two major types of cyber incidents reported to the OAIC were those involving compromised or stolen credentials and ransomware.
In respect of the first type of incident, the most common method used by malicious actors to obtain compromised credentials was email-based phishing. This demonstrates the continuing necessity of effectively educating employees about the risks of, and ability to identify, phishing emails.
In respect of the second type of incident, the OAIC reported a 24% increase in ransomware incidents. Given the prevalence of ransomware attacks, the OAIC expects entities to have appropriate internal practices, procedures, and systems in place to undertake a meaningful assessment of whether an NDB has occurred. The report notes that, as best practice, entities should:
- have appropriate audit and access logs;
- use a backup system that is routinely tested for data integrity;
- have an appropriate incident response plan; and
- consider engaging a cyber security expert at an early stage to conduct a forensic analysis if a ransomware attack occurs.
The report further notes that a number of entities assessed that a ransomware attack did not constitute an eligible data breach due to a "lack of evidence" that access to or exfiltration of data had occurred. However, an assessment of a suspected data breach under section 26WH of the Privacy Act is required if there are reasonable grounds to suspect that there may have been an eligible data breach, even if there are insufficient grounds to believe that an eligible data breach has actually occurred.
The failure of entities to promptly notify the OAIC of data breaches is also a significant issue. The OAIC noted that, in the reporting period, 81% of breaches were identified by the relevant entity within 30 days of the breach occurring, up from 75%. However, only 72% of entities went on to notify the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach, down from 78% in the previous period. Of note, only 67% of finance sector entities notified the OAIC within 30 days of the entity becoming aware of an incident. This figure was 35% for Australian Government agencies.
Failure to accord with the notification requirements may result in a court making any orders it thinks fit in respect of the relevant entity, which could include an award of damages.
The OAIC report highlights the need for entities to continually improve their approach to preventing data breaches. In particular, entities should:
- adapt their security measures and processes to address the growth of personal information on the dark web leading to increased impersonation fraud threats;
- implement and maintain policies and infrastructure to address cyber incidents, particularly phishing and ransomware;
- bear in mind their reporting obligations to the OAIC – the key criterion is whether there may have been an eligible data breach, not whether a data breach has definitely occurred; and
- notify the OAIC and affected individuals of a notifiable data breach, in accordance with the procedure in the Privacy Act, as soon as it is practicable to do so.