On 23 August 2021, the Office of the Australian Information Commissioner (OAIC) published its bi-annual Notifiable Data Breaches Report for the January to June 2021 period. As readers may recall, our February Cyber updated summarised the findings of the July to December 2020 Report – available here.
To recap, organisations or government agencies covered by the Privacy Act 1988 (Cth) are required to notify the OAIC and individuals when there has been a data breach that is likely to result in serious harm to an individual whose personal information has been involved in a breach.
The good news was that there was a 16% reduction in the number of breaches. 446 breaches were notified in the January to June 2021 period, in comparison to 530 notifications in the July to December 2020 period. Broken down by source, notifications arising from:
Malicious or criminal attacks accounted for 65% of breaches, followed by human error at 30% and system fault at 5%.
Malicious or criminal attacks included brute force attacks, malware, phishing, hacking, ransomware and compromised or stolen credentials.
The most common types of human error included:
The personal information released in the breaches was broken down as:
Sensitive information is personal information that is information or an opinion about an individuals:
Health service providers reported the majority of the breaches (19%), followed by the finance sector (13%).
To read a full copy of the report click here.
Whilst there has been a reduction in breaches attributable to human error, human error still accounts for nearly one third of the notifications. It is often human error that allows the phishing or other cyber-attack to take place. It is always human error that results in the breach where there is a failure to take simple steps such as having secure passwords or to take care when sending material, particularly by email.
The problem is self-evidently a whole of business problem. It requires a whole of business solution, including education, training and monitoring, not just the provision of a good IT system. The IT system won’t prevent human error.
If you have any queries in relation to this article, please contact Iain Freeman.