Reports of data breaches have again risen under Australia’s mandatory reporting scheme, with the privacy watchdog warning of increasing incidence of human error exposing people’s personal information.
The Office of the Australian Information Officer received 539 data breach notifications in the second half of last year, an increase of five per cent on the previous six months.
The figures, from the latest Notifiable Data Breaches Report, reveal the increasing number of instances of human error leading to data breaches. Nearly two in every five breaches in the period were attributed to human error.
“In the past six months, we saw an increase in human error breaches both in terms of the total number of notifications received — up 18 per cent to 204 — and proportionally — up from 34 per cent to 38 per cent,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.
“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.”
Malicious or criminal attacks remain the leading source of data breaches, however, accounting for 58 per cent of notifications. But the privacy watchdog is imploring Australian organisations to train their staff to minimise breaches and to be ready to respond when they do occur.
“Entities must have effective systems for detecting, containing, assessing, notifying and reviewing data breaches,” Falk said.
“Critically, they need to provide individuals with clear and timely information about data breaches, including recommendations on steps they can take to protect themselves from harm.”
Under Australia’s Notifiable Data Breaches (NDB) scheme any organisation or agency the Privacy Act 1988 covers must notify affected individuals and the OAIC when a data breach is likely to result in “serious harm” to an individual whose personal information is involved.
Falk said with the scheme running for nearly three years now the watchdog expects organisations to have improved the security of personal information handling by now, and her office will prioritise regulatory action when there are “significant failings”.
Will Calvert, director of technology and enablement at RMIT Online, and board member of Resilience by Design, said the way organisations manage cybersecurity must continue to evolve to keep pace with attackers.
“Even more so if we truly want to remain one step ahead of cyberattacks,” Calvert told Which-50.
Calvert said effective cyber defence is as much about people and process as technology.
“Arming staff with the right technology, providing continuous learning and quality cybersecurity education, alongside incident response preparation and exercising, should be core business for any organisation.”
Healthcare a target
Simon Howe, VP Sales Asia Pacific, LogRhythm, noted that the threat to healthcare security has again been highlighted in the report. The health sector remains the highest reporting industry sector, notifying nearly a quarter of all breaches.
The number of breaches in the health sector is particularly troubling, Howe said, because of Australia’s upcoming vaccine rollout.
“With the COVID-19 vaccination roll-out in Australia set to start next month, Australians should be warned about sharing personal health information and be wary of links sent through emails, texts and messengers from unknown numbers or users.”
Howe said every organisation should enable network infrastructure to block malicious access attempts, but it is also important to create a culture of data security.
“Security teams should also frequently review their crisis plan and work towards a company-wide program which integrates cybersecurity and data protection protocols as a way to simplify detecting attacks and recovering systems and data if they’re infected.”