Malicious attacks continue to account for 64% of data breaches: OAIC

It's the first report since OAIC announced it would shift the NDB reporting scheme from a quarterly report scheme to a six-month one.
Written by Aimee Chanthadavong, Contributor

The Office of the Australian Information Commissioner (OAIC) has revealed that there was a 19% increase in the number of data breaches reported under the Notifiable Data Breaches (NDB) scheme between July and December 2019, compared to the first half of the year.

Specifically, the OAIC reported that 537 breaches were notified under the scheme, up from 460 in the previous six months.

This is the first half-year report produced by the OAIC since it announced in August that it would move from its quarterly reporting scheme to one every six months.

The OAIC report [PDF] also revealed how malicious or criminal attacks, including cyber incidents, continued to be the largest source of data breaches, accounting for 64% of all notifications, or 343 breaches, which was an additional 61 notifications compared to the previous half year.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Of the total data breaches, 230 notifications were classified as cyber incidents such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials, the report said.

Meanwhile, theft of paperwork or data storage devices, and rogue employee or insider threats, equally made up 12% of all malicious or criminal attacks.

Data breaches that resulted from human error accounted for 170, or 32%, of all breaches, down 34% from the last reporting period.

Breaking it down, 49 of those human error-related breaches were due to personal information being sent to the wrong recipient via email, while another 40 resulted from the unintended release or publication of personal information, and 18 others were from the loss of a data storage device or paperwork.

The report also showed that while there were only four NDB notifications related to the insecure disposal of information, the average number of affected individuals came to 1,574, versus emailing information to the wrong recipient, which affected 340 on average.

The report also called out one data breach that affected 10 million or more individuals, and another two which had affected between 1 million to 10 million individuals.

"The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches," Australian Information commissioner and Privacy commissioner Angelene Falk said.

"Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts."

Read also: IT whistleblowers who expose company data breaches may soon be protected in EU (TechRepublic)    

Human error was to blame for 51, or 43%, of data breaches in the health sector, compared to an average of 32% across all notifications.

As a result, the health sector was named the highest reporting sector, notifying 117, or 22%, of all data breaches during the half year. This was followed by the finance, and legal and accounting sectors.

When it came to the types of personal information that were involved in breaches across all sectors, the OAIC identified how 411 of those notified under the scheme between July and December 2019 was contact information, such as an individual's home address, phone number, or email address; while 198 was financial details, such as bank account or credit cards; and 162 of them involved identity information, such as a passport number, driver licence number, or other government identifiers.

Related Coverage

Editorial standards