Analysis: Reported data breaches in Australia

The Office of the Australian Information Commissioner (OAIC) has published the first full quarter report on data breaches that fall under Notifiable Data Breaches scheme and, thus, had to be reported to the OAIC.

“The NDB scheme applies to agencies and organisations that the Privacy Act requires to take reasonable steps to secure personal information. This includes most Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit reporting bodies, private health service providers, and TFN [tax file number] recipients, among others,” the OAIC explained.

The report encompasses 242 data breaches reported between 1 April and 30 June 2018.

Data breach statistics

The analysis of the reports reveals that 59 percent of those breaches were caused by malicious or criminals attacks, 36 percent by human error, and 5 percent by system faults.

“Many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords),” the OAIC shared.

It’s interesting to see how many of the breaches are pulled off by compromising credentials.

Most of the breaches involved the compromise of contact information (e.g., individual’s home address, phone number or email address), and 42 percent of them the compromise of financial details (e.g., bank account or credit card numbers).

Health service providers in the private sector reported the greatest number of data breaches (49), followed by organizations in the finance sector (36), legal, accounting and management services (20), education (19), and business and professional associations (15).

And that’s not counting the notifications made under the My Health Records Act 2012, which have not been included in the report as they are subject to specific notification requirements. Also, public hospitals aren’t covered by the Notifiable Data Breaches scheme, so these numbers don’t include data breaches at those organizations.

Other interesting revelations

Ransomware attacks that lead to data breaches are unexpectedly rare: only two were reported in this batch.

The compromise of credentials through phishing, brute-force attacks, or by unknown methods is a particularly popular attack approach in the finance sector:

Human error – sending personal information to the wrong recipient, loss of paperwork or storage devices, etc. – is the largest source of data breaches from the health sector.