The health sector continues to be the most affected in Australia when it comes to data breaches, and those are largely due to human error.
The Office of the Australian Information Commissioner has released its notifiable data breaches report for the first quarter of the 2019 calendar year, as well as its 12-month insights report.
January to March 2019 saw 215 data breaches reported to the OAIC, dropping from 262 in Q4 2018. The latest report is the first to cover the full January-March quarter, as scheme commenced on 22 February 2018.
In January, 62 data breaches were reported under the scheme, followed by 67 in February, while 86 were reported in March.
The sectors most affected were health service providers, which reported 58 breaches, financial institutions including superannuation providers (27 breaches), legal accounting and management services (23 breaches), education (19 breaches) and retail (11 breaches).
Of the breaches in that period, 35 percent (75 breaches) were caused by human error, 61 percent (131 breaches) was the result of a malicious or criminal attack and four percent, (nine breaches) came about because of system faults.
In breaking down the breaches caused by malicious or criminal activity, the report highlighted that 87 of the notifications were because of a “cyber incident”. Rogue employees and insider threats were responsible for 19 breach notifications, theft of paperwork or storage media was reported in 18 breaches, and social engineering or impersonation was a factor in seven breaches.
Cyber incidents constituted of compromised or stolen credentials (40 percent), phishing (20 percent), hacking (13 percent), malware (13 percent), brute-force attacks (seven percent), and ransomware (seven percent).
Breaches as a result of human error came down to number of factors, including unauthorised disclosure through unintended release of documents and failure to redact sensitive material; personal information being sent to the wrong recipient, email or otherwise; loss of paperwork or storage media; and failure to use the BCC feature when sending an email.
The health service sector was both the most targeted victim of cyber attacks and also suffered the most human error-related breaches. Human error was the leading source of notifications, at 30, with criminal attacks accounting for 26 breaches and systems faults resulting in two breaches.
For most of the organisations reporting breaches, each incident affected the personal information of 100 individuals or fewer, according to the report.
The kind of information leaked was mostly contact information, which was exposed in 186 notifications, followed by financial details (exposed in 98 notifications) identity information (55 notifications), health information (63) and tax file numbers (36).
The OAIC publishes Notifiable Data Breaches Quarterly Statistics Reports, which will become half-yearly from July, to provide insight into the causes of data breaches and to “assist entities and the public to understand the operation of the NDB scheme”.
The latest monthly report can be read here.
Across the 12 months from 1 April 2018 to 31 March 2019, there were 964 eligible data breaches, and reporting of breaches has increased 712 percent since the scheme was introduced, according to the OAIC’s annual insights report.
For the 12 months, 60 percent of breaches were malicious or criminal attacks and 153 were related to phishing. Among all the cyber incidents, 28 percent of credentials were obtained by means unknown to the affected organisation.
The vast majority of data breaches, 83 percent, affected fewer than 1000 people in each instance.
Human error was a factor in 55 percent of all 206 health sector data breaches throughout the year, way above the cross-industry average of 35 percent. Three breaches in the health sector were system fault-related, while 90 were malicious.
Check out the full annual report here