519 data breach notifications include 33 from Australian government entities

One of the 33 breach notifications was the result of a brute-force attack, the OAIC has detailed in its latest report.
Written by Asha Barbaschow, Contributor

Australian entities covered by the Privacy Act reported 519 instances of data breaches in the six months to December 2020, a 5% increase from the first half of the year.

Data breach notification to the Office of the Australian Information Commissioner (OAIC) became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Since the mandate, health has been the most affected sector; the latest report [PDF] shows no change, with health accounting for 123 notifications, followed by finance with 83 notifications. The Australian government entered the top five sectors for the first time, accounting for 6% of the total, with 33 notifications.

The Privacy Act 1988 covers most Australian government agencies; it does not cover a number of intelligence and national security agencies, nor does it cover state and local government agencies, public hospitals, and public schools.

Delving deeper on the government faux pas, human error was to blame for 29 of the sector's total notifications, two stemmed from a malicious or criminal attack, one was attributed to a "cyber incident", and the remaining one to social engineering/impersonation.

The "cyber incident" was confirmed as a brute-force attack on the unnamed entity.

The most common type of human error to blame for the government's notifications was personal information being sent to the wrong recipient. Failure to redact was to blame for five notifications.

In total, malicious or criminal attacks, including cyber incidents, remained the leading source of data breaches, accounting for 58% of all notifications -- 310 breaches. Data breaches resulting from human error accounted for 38% of notifications, at 204. System faults accounted for the remaining 25 breaches notified.

"While it is possible that this increase is linked to changed business and information handling practices resulting from remote working arrangements, the OAIC is yet to identify any information or incidents that conclusively prove a link," the office said, pointing to COVID-19 stay at home measures and the uptick of human error-related breaches.

91% of data breaches notified under the NDB scheme from July to December 2020 involved contact information, such as an individual's home address, phone number, or email address.

Data breaches resulting from social engineering or impersonation accounted for 34 notifications. Actions taken by a rogue employee or insider threat accounted for 35 notifications, up from 23, and theft of paperwork or storage devices resulted in 29 notifications.

23% of all notifications received by the OAIC involved malicious actors gaining access to accounts using compromised or stolen credentials, with the most common method email-based phishing.

"This confirms that email-based vulnerability is one of the greatest risks to information security facing organisations," the report says. "The human factor is an important element in an organisation's overall information and cybersecurity posture, given these attacks rely on a person clicking on a phishing link."

68% of data breaches affected 100 individuals or fewer, but one of the notifications affected over 10 million individuals.

August saw 208 notifications made, and November only 62.

The OAIC also said it received a number of notifications during the reporting period that involved a managed service provider (MSP) hosting or holding data on behalf of one or more other entities.


Editorial standards