The number of data breaches reported to Australia’s privacy regulator rose 19 per cent in the last six months of 2019. Nearly two-thirds were caused by malicious or criminal attacks, including cyber incidents, and the health and finance sectors were again the worst offenders.
Australia’s information and privacy regulator, the Office of the Australian Information Commissioner, released the latest biannual results of Notifiable Data Breach scheme today, the first such reporting period following previous quarterly results.
The OAIC was notified of 537 data breaches during the reporting period, a 19 per cent rise on the previous six months.
64 per cent of the breaches were the result of a malicious or criminal attack. Two thirds of these attacks were classified as a cyber incident. Human error (32 per cent) and system fault (four per cent) accounted for the remainder of reported breaches.
The proportion of malicious attacks and cybercrime is a “substantial” rise on the previous six months, the OAIC says, with attackers using phishing, malware, ransomware, brute-force to attack and compromised or stolen credentials to access personal information.
But in 32 per cent of the breaches resulting from a cyber incident the reporting entity was not able to identify how the attacker obtained personal information.
Health and finance account for over a third of all reported breaches in the reporting period. The health sector reported 117 breaches in the period or 22 per cent of the overall total. Finance organisations reported 77 breaches or 14 per cent.
John Donovan, managing director ANZ at Sophos said there has been little improvement in data breaches in the local finance sector in recent years.
“The sector’s long reign near the top [of breach reporting] indicates a need for radical change when it comes to cybersecurity.”
He says the latest report shows a need for the sector to invest in cybersecurity technology and staff training.
“Alarmingly, 39 per cent of the sector’s data breaches were a result of human error, indicating more training and awareness must be done to develop a more cyber-aware culture.
“Australians trust the finance sector with PII (personally identifiable information) like names and addresses, but also confidential information such as bank details and credit scores. It’s time for the industry to repay this faith and do more to protect Australians’ information.”
Established scheme recording more breaches
Under the mandatory reporting scheme, most Australian organisations must report any data breach of personal information likely to result in harm to individuals to the regulator.
Since the scheme was introduced the number of breaches reported has trended up steadily.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said the NDB scheme is now well established as an effective reporting mechanism.
“There is now increasing focus on organisations taking preventative action to combat data breaches at their source and deliver best practice response strategies,” Falk said.
“Where data breaches occur, organisations and agencies must move swiftly to contain the breach and minimise the risk of harm to people whose information has been compromised.”