The Office of the Australian Information Commissioner has released the notifiable data breaches quarterly statistics for the period 1 October to 31 December 2018.
We reported on the previous release for the July to September 2018 quarter in our 23 November 2018 Cyber Update, which can be found here. The key statistic arising out of the latest report is that there were 262 notifications (indicating that notifications have increased slightly over the period since reports have been mandatory). Of the reports, 33% were attributed to human error, 64% to malicious or criminal attacks and only 3% to system faults.
The statistics make it clear that notifiable data breaches are anything other than simply an IT problem. They are rarely an IT issue. They very much remain a whole of business problem. Any organisation that regards this as an IT issue is missing the point.
Overwhelmingly the type of information disclosed in the breaches was contact information such as names, addresses and phone numbers, followed by financial details. Of real concern, 46 of the disclosures related to disclosure of tax file numbers.
The failure to use blind copy (bcc) when sending emails continued to be problematic as did the sending of emails to the wrong recipient.
Malicious or criminal attacks were defined as those deliberately intended to exploit vulnerabilities for financial or other gain, as contrasted from caused by human error.
The Commissioner noted that many of the incidents were as a result of an exploitation of a vulnerability involving a human factor such as clicking on a phishing email or disclosing passwords. This emphasises the importance of training and the raising of awareness of such risks.
27% of those which were defined as human error involved the sending an email to a wrong recipient or posting mail to a wrong recipient.
The Commissioner noted that these breaches tended to cause the largest amount of personal information, averaging 17,746 individuals per breach. Again, with training and awareness, this risk is capable of management.
Of the cyber incidents, 43% related to phishing attacks, whereas only 7% was from malware and 8% from brute force attacks.
This quarter, health service providers accounted for 54 of the notifications, the finance section - 40, legal accounting and management services - 23, education - 21 and mining and manufacturing - 12.
It was interesting to note that all of those in the mining and manufacture were as a result of malicious or criminal activity whereas two-thirds in legal accounting and management services and the finance section sector were from malicious or criminal activity. In health service providers, there was an equal split between human error and malicious or criminal activity.
The root cause of many breaches is that in no small part, as a result of a lack of training or carelessness. Very few arise as a result of systemic failure. The best systems will not prevent loss caused by carelessness.
The message remains clear: a significant portion of breaches still track back to human error. It is often human error that allows the phishing or other cyber-attack to take place. It is always human error that results in the breach where there is a failure to take such simple steps as having secure passwords or to take care when sending material, particularly by email.
The problem is self-evidently a whole of business problem. It requires a whole of business solution, including education, training and monitoring, not just the provision of a good IT system. The IT system won’t prevent human error.
If you have any queries in relation to this article, please contact Iain Freeman or Lorraine Madden.
