Accidental personal info disclosure hit Australians 260,000 times last quarter

85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally.
Written by Asha Barbaschow, Contributor

The latest quarterly report on Australia's Notifiable Data Breaches (NDB) scheme has revealed around 269,621 separate cases of individuals having their personal information impacted as a result of a human error.

The report [PDF] says that during the period covering October 1, through to December 31, 2018, 262 notifications of data breaches were received by the Office of the Australian Information Commissioner (OAIC), with 85 being put down to human error.

Data breaches involving human error, that resulted in the unintended release or publication of personal information, was uncovered in 15 cases. For these cases, there was an average of 17,746 individuals affected.

Meanwhile, breaches that caused a failure to securely dispose of records of personal information impacted around 600 individuals, the report added.

The loss of paper work or a data storage device was to blame for around 330 individuals having their information exposed, while 23 individuals had their personal information sent to a "wrong" email address.

Two individuals had their information exposed due to a fax being sent to the wrong recipient.

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Malicious or criminal attacks were the largest source of data breaches during the quarter, accounting for 64 percent of all data breaches -- 168 data breaches.

68 percent of these involved cyber incidents such as phishing, malware or ransomware, brute-force attacks, compromised or stolen credentials, and social engineering or impersonation, the report explained.

"Many cyber incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on an attachment to a phishing email," it said.

Theft of paperwork or data storage devices from malicious or criminal attacks accounted for 15 percent of the breaches. Other sources included actions taken by a rogue employee or insider threat, which involved 12 percent of the breaches, as well as social engineering or impersonation which was to blame for five percent of the cases.

"System faults" was identified as the reason for three percent of data breaches during the three month period.

The health sector remained in pole position as the most breached, accounting for a total of 54 NDBs. Finance, including superannuation, was the second most breached sector, accounting for 40 notifications; followed by legal, accounting, and management services with 23; education with 21 notifications; and 12 from the mining and manufacturing sector.

Of the health-related notifications, human error was identified as the cause in 29 cases.

In eight of those cases, personal information was sent to the wrong recipient via email; there were also seven instances of sending an email without using the BCC function. For four of the cases, loss of paperwork or storage device was to blame.

11 notifications from the health services provider segment were attributed to simply a "cyber incident"; and five were linked back to an insider threat or a rogue employee.

The legal, accounting, and management services sector and the mining and manufacturing sector also reported that the majority of breaches resulted from malicious or criminal attacks.

Australia's NDB sheme came into effect in February last year, requiring agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals, whose personal information is involved in a data breach that is likely to result in "serious harm", as soon as practicable after becoming aware of a breach.

Notifications made under the My Health Records Act 2012 are not included in this report, however, as they are subject to specific notification requirements set out in that Act.

The continued presence of private health providers as the most breached sector is unlikely to quell concerns over Australia's centralised My Health Record system. The Australian Digital Health Agency (ADHA) said that only 1.15 million Australians had opted out of the system, representing an opt-out rate of less than 5 percent.

The ADHA last week said 6.45 million individuals currently have a My Health Record.


Australians made over 19K privacy principle enquiries in 2017-18

2,947 privacy complaints were also received by the Office of the Australian Information Commissioner.

Reported breaches not painting complete picture of Australian security landscape

Although 63 data breaches were reported to the Office of the Australian Information Commissioner in less than six weeks, FireEye's Mandiant has warned the figure is higher, but organisations are unsure if their breach fits the brief.

OAIC received 31 notifications in the first three weeks of data breach scheme

The OAIC has revealed to ZDNet it has received 31 notifications since the Notifiable Data Breaches scheme came into effect last month.

Eight reasons more CEOs will be fired over cybersecurity breaches (TechRepublic)

Security is everyone's problem, but CEOs should make sure their organisation doesn't block its success. Gartner offers eight situations for CEOs to avoid if a breach occurs within their organisation.

Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Australia's Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

Editorial standards