The latest quarterly report from the Office of the Australian Information Commissioner (OAIC) shows 262 data breaches involving personal information were notified between October and December 2018.

The leading cause of notifiable data breaches in the December quarter was malicious or criminal attack (168 notifications), followed by human error (85 notifications) and system error (9 notifications). Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks.

Australian Information Commissioner and Privacy Commissioner Angelene Falk reinforced the need for organisations and individuals to secure personal information by safeguarding credentials.

“Preventing data breaches and improving cyber security must be a primary concern for any organisation entrusted with people’s personal information,” she said.

“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.

“The OAIC works with the Australian Cyber Security Centre to provide prevention strategies for organisations, including regularly resetting and not reusing passwords.

“If a data breach occurs, early notification can help anyone who is affected take action to prevent harm.

“By changing passwords, checking your credit report, and looking out for scams using your personal information, you can help minimise the harm that can result from a data breach.”

Gerry Power, Head of Sales at cyber specialist underwriting agency Emergence Insurance, said many cyber incidents in the quarter exploited vulnerabilities involving human factors, “Data breaches continue to increase, emphasising the vital need for employers to educate their employees. Since the NDB scheme was introduced on 22 February 2018, there have been 812 notifications, which is a massive 612 per cent increase on the 114 notifications in the year before the scheme’s launch.”

He said the latest report, the scheme’s fourth, showed the NDB scheme was having a material impact on data breach disclosures. The number of notifications continued to increase every quarter and the healthcare and finance sectors continued to be most impacted.

“People keep finding new ways to make mistakes, but there’s no doubt staff education can materially reduce the potential for data breaches,” Powers continued.

“A cyber policy is part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,” he emphasised.

Key statistics
The Notifiable Data Breaches October – December 2018 report shows:

  • 262 data breaches were notified to affected individuals and the Office of the Australian Information Commissioner, compared to 245 the previous quarter:
    • 64 per cent were attributed to malicious or criminal attacks, compared to 57 per cent the previous quarter
    • 33 per cent were attributed to human error, compared to 37 per cent the previous quarter
    • 3 per cent were attributed to system faults, compared to 6 per cent the previous quarter
  • 60 per cent involved the personal information of 100 or fewer individuals, compared to 63 per cent the previous quarter
  • The top five sectors to report breaches were:
    • Private health service providers: 54
    • Finance: 40
    • Legal, accounting and management services: 23
    • Private education providers: 21
    • Mining and manufacturing: 12

The December quarter Notifiable Data Breaches report is available here.