Notifiable Data Breaches: the latest statistics are in criminal attacks

The Office of the Australian Information Commissioner has released the notifiable data breaches quarterly statistics for the period 1 January to 31 March 2019.

We reported on the previous release for the October to December 2018 quarter in our 14 February 2019 Cyber Update, which can be found here.  The key statistic arising out of the latest report is that there were 215 notifications.  

The number of notifications has slightly decreased this quarter, compared to the previous gradual increase in notifications over the three prior quarterly periods since reports have been mandatory.
Of the breaches this quarter:

• 61% were malicious or criminal attacks;
• 35% were due to human error; and
• 4% were due to system faults.

These statistics show that notifiable data breaches are a real business problem.  Especially since malicious or criminal attacks are deliberately crafted to exploit known vulnerabilities for financial or other gain, whereas human error is an unintended action by an individual directly resulting in a data breach.  

Several incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on a phishing email or by using social engineering or impersonation to obtain access to personal information fraudulently.

This quarter, 60% of all data breaches involved the personal information of 100 individuals or fewer.  While data breaches impacting between 1 and 10 individuals comprised 50% of the notifications.  

A large proportion of the information involved in the data breaches was contact information which consisted of 87% of the breaches.

This quarter, the root cause of many data breaches was from targeted criminal attacks, accounting for 61% of all data breaches.  

Of these targeted criminal attacks:

• 66% were related to phishing attacks, malware or ransomware, brute-force attacks, compromised or stolen credentials;
• 14% were from theft of paperwork or data storage devices;
• 15% were actions taken by a rogue employee or insider threat; and
• 5% were from social engineering or impersonation.

Targeted phishing attacks are a top security threat, cyber-attacks can cost your business financially and reputationally.  Businesses should be focusing on ensuring they have adequate security measures in place as well as regularly train staff to be vigilant and understand what signs to look for in a suspicious email.

The takeaway is that businesses need to either develop the expertise internally or engage the right expertise to investigate and identify cyber security threats, tackle contemporary cyber-crime and security challenges, as well as conduct risk and vulnerability assessments of networked devices and infrastructure and then generate innovative solutions.

This is not a problem that will go away. It must be addressed.