Cyber Update - Human After All: new statistics released on data breaches

On 23 August 2021, the Office of the Australian Information Commissioner (OAIC) published its bi-annual Notifiable Data Breaches Report for the January to June 2021 period. As readers may recall, our February Cyber updated summarised the findings of the July to December 2020 Report – available here.

To recap, organisations or government agencies covered by the Privacy Act 1988 (Cth) are required to notify the OAIC and individuals when there has been a data breach that is likely to result in serious harm to an individual whose personal information has been involved in a breach.

The good news was that there was a 16% reduction in the number of breaches. 446 breaches were notified in the January to June 2021 period, in comparison to 530 notifications in the July to December 2020 period. Broken down by source, notifications arising from:

  • malicious or criminal attack reduced by 5%;
  • human error reduced by 34%; and
  • system fault reduced by 4%.

Malicious or criminal attacks accounted for 65% of breaches, followed by human error at 30% and system fault at 5%.

Malicious or criminal attacks included brute force attacks, malware, phishing, hacking, ransomware and compromised or stolen credentials.

The most common types of human error included:

  • emailing personal information to the wrong recipient - 54 notifications;
  • unintended release or publication – 31 notifications;
  • failing to use the BCC function when sending emails – 11 notifications;
  • mailing personal information to the wrong recipient – 9 notifications;
  • sending personal information to the wrong recipient by other means - 10 notifications;
  • losing paperwork or a data storage device – 8 notifications;
  • failing to redact – 9 notifications;
  • unauthorised verbal disclosure – 2 notifications; and
  • insecure disposal – 1 notification.

The personal information released in the breaches was broken down as:

  • contact information – 407 notifications;
  • identity information – 247 notifications;
  • financial details – 193 notifications;
  • health information – 136 notifications;
  • tax file numbers – 102 notifications; and
  • other sensitive information - 75 notifications.

Sensitive information is personal information that is information or an opinion about an individuals:

  • racial or ethnic origin;
  • political opinions or associations;
  • religious or philosophical beliefs;
  • trade union membership or associations;
  • sexual orientation or practices;
  • criminal record;
  • health or genetic information; or
  • some aspects of biometric information.

Health service providers reported the majority of the breaches (19%), followed by the finance sector (13%).

To read a full copy of the report click here.

Lavan Comment

Whilst there has been a reduction in breaches attributable to human error, human error still accounts for nearly one third of the notifications.  It is often human error that allows the phishing or other cyber-attack to take place.  It is always human error that results in the breach where there is a failure to take simple steps such as having secure passwords or to take care when sending material, particularly by email.

The problem is self-evidently a whole of business problem.  It requires a whole of business solution, including education, training and monitoring, not just the provision of a good IT system.  The IT system won’t prevent human error.

If you have any queries in relation to this article, please contact Iain Freeman.