The latest quarterly figures from the privacy watchdog’s mandatory data breach reporting scheme shows data breaches are rising again in Australia. Human error has been identified as a key factor to be addressed and Australia’s Information Commissioner is calling for more staff training on cybersecurity.
Under the Notifiable Data Breaches (NDB) scheme, Australian entities with an annual turnover of $3 million or more, with few exceptions, must report any data breaches likely to result in “serious harm” to the Office of Australian Information Commissioner (OAIC) and to affected individuals.
Previously, organisations had few obligations to report data breaches. Since the NDB began, reporting of breaches has surged 712 per cent over the non-mandatory reporting levels.
The OAIC says the scheme has been effective and the watchdog’s reporting on breach data will now shift from quarterly to bi-annually.
Breaches back up
The latest report on the scheme revealed there were 245 breach notifications in the last quarter, a rise from the previous quarter which had fallen for the first time since the schemes inception over a year ago.
The cost and size of data breaches is also rising in Australia, according to IBM research, which found the cost of a breach in Australia, on average, is now $US 2.13 million.
Information Commissioner and Privacy Commissioner Angelene Falk said the scheme, now over a year old, has become an effective mechanism for breach reporting.
“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combatting data breaches and improving response strategies,” Falk said.
“Effecting change in practices to prevent breaches is vital to the goal of protecting the community. Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”
Last quarter data
The latest quarterly figures show a continued trend of breaches arising from malicious or criminal attacks (62 per cent) and human error (34 per cent) with just four per cent of breaches resulting from system faults.
Human error, like clicking on phishing emails or reusing passwords, accounted for 84 reported data breaches in the quarter. But unlike the other main cause – malicious or criminal attacks – human error can be addressed by organisations with better awareness and training, according to Falk.
“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions,” Falk said.
The report shows health and finance sectors are again the worst offenders, and breaches typically expose contact information and financial details.