OAIC to shift NDB reporting scheme from quarterly to every six months

It follows the release of its last quarterly report, which indicates that many of the attacks between April and June involved a human factor.
Written by Aimee Chanthadavong, Contributor

The Office of the Australian Information Commissioner (OAIC) has announced it will now report every six months on notifications received under the Notifiable Data Breaches (NDB) scheme, a move from its quarterly reporting scheme when it first came into effect in February 2018.  

The announcement follows the release of the last quarterly report, which show malicious or criminal attacks still make up more than half of all data breaches between 1 April and 30 June 2019.

The report from OAIC showed malicious or criminal attacks accounted for 151 data breaches, or 62%, of the 245 notifications that were received under the NDB scheme, which was an additional 30 total notifications compared to the previous quarter.

Of the total data breaches this quarter, nearly 70% involved cyber incidents, such as phishing, malware or ransomware, brute-force attacks, or compromised or stolen credentials, the report said.

Meanwhile, theft of paperwork or data storage devices made up nearly 15% of all malicious or criminal attacks, and 8% was due to rogue employee or insider threats.

According to the OAIC, many malicious or criminal attacks during this quarter exploited vulnerabilities that involved a human factor, including individuals clicking on a phishing email, using credentials that were compromised or stolen by other means -- such as in another data breach -- to obtain unauthorised access to personal information.

Unsurprisingly then, human error was the second largest source of data breaches, accounting for 84, or 34%, of all NDB notifications during the quarter.

Of those, 35% was due to people sending personal information to the wrong recipient via email, another 18% was because of authorised disclosure through the unintended release or publication of personal information, while another 12% was the result loss of paperwork or data storage device.

Of the total notifications, 62% of data breaches involved the personal information of 100 individuals or fewer.

Read also: IT whistleblowers who expose company data breaches may soon be protected in EU (TechRepublic)  

The report also called out one data breach which affected 10 million or more individuals, and although OAIC did not name the affected company, Australian tech unicorn Canva was hacked in May, which resulted in the data of 139 million Canva users being stolen.

"The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions," said Australian Information Commissioner and Privacy Commissioner Angelene Falk.

The OAIC report also highlighted from April to June 2019, the top sector to suffer data breaches under the NDB scheme was the private health sector, accounting for 19% of all data breaches. This was followed by finance sector at 17%, and legal, accounting, and management services at 10%.

Human error was again to blame for more than half of notifications that affected the private health sector, the report said.

However, Microsoft said if users of any online service who enable multi-factor authentication for their accounts will end up blocking 99.9% of automated attacks.

"Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.

Google have also made similar suggestions, saying users who added a recovery phone number to their accounts (and indirectly enabled SMS-based MFA) were also improving their account security.

"Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation," Google said in May.

Related Coverage

Editorial standards