Phishing spikes as private health continues to be most breached sector in Australia

Lawyers, accountants, and management types are the most likely to click on phishing links, according to the Notifiable Data Breaches report for July to September.
Written by Chris Duckett, Contributor

One fifth of all Notifiable Data Breaches (NDB) in Australia for the three months between July and September were a result of phishing, while private health retains its crown as Australia's most breached sector.

Overall, the Office of the Australian Information Commissioner (OAIC) received 245 data breach notifications for the period, an increase of three, with a pair of breaches impacting between 100,000 and 250,000 people being the largest reported.

The most common band of impacted people was between 100 and 1,000 people, with 65 breaches reported, followed by 58 hitting a single individual, and 53 breaches impacting between 11 and 100 people.

Contact information was the type of information most commonly breached, with 208 instances, followed by financial details in 110 instances; identity information in 85 instances; and tax file number in 55 instances. Health information was revealed in 54 breaches.

The OAIC said 57 percent of all breaches were a result of a malicious attack, with 37 percent due to human error and 6 percent as a result of a system fault.

Of the attacks, half were due to phishing, with almost a fifth as a result of compromised or stolen credentials, and 12 percent due to brute-force attacks.

Broken down by sector, 45 breaches were reported to private health providers, followed by finance reporting, at 35; and the legal, accounting, and management services sector reporting 34 breaches.

The majority of the health breaches were due to human error, and the rest made up by malicious attacks, with the exception of one breach due to system error.

A total of four breaches each were due to loss of paperwork or a storage device, sending personal information to the wrong recipient as email, sending personal information to the wrong recipient via mail, and unauthorised disclosure due to unintended release or publication of information, as well as four breaches due to phishing attacks.

A single breach each was reported by the private health sector as being due to malware, ransomware, and hacking by other means.

The report only covers private health service providers under the NDB, the OAIC said, with public hospitals and health services covered by the My Health Records Act and hence not included in the report.

Hit by phishing more than any other sector was the legal, accounting, and management sector, with nine attacks, which was also hit by the highest number of cyber attacks.

"Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them," Australian Information Commissioner and Privacy Commissioner Angelene Falk said. "Our latest report shows 20 percent of data breaches over the quarter occurred when personal information was sent to the wrong recipient by email, mail, fax, or other means.

"Importantly, we also need to be on the alert for suspicious emails or texts, with 20 percent of all data breaches in the quarter attributed to phishing."

The continued presence of private health providers as the most breached sector is unlikely to quell concerns over Australia's centralised My Health Record system. The Australian Digital Health Agency (ADHA) said last week that only 1.15 million Australians had opted out of the system, representing an opt-out rate of less than 5 percent.

The week prior, the Senate Community Affairs References Committee called for the opt-out window to be extended by 12 months, rather than closed on November 15, and for access controls to be applied to records by default. In a dissenting report, government senators disagreed with the recommendations.

Documents recently obtained under Freedom of Information showed ADHA had no detailed policy or process for releasing My Health Record data to support regulatory and legal requests.

The only internal policy guidance appears to have been the agency's commitment, stated publicly, not to release data except "where the agency has no discretion", such as when responding to a court order.

Previous OAIC Coverage

OAIC calls for sunset clause on encryption-busting Bill and warns of privacy risks

The Office of the Australian Information Commissioner seeking greater transparency and judicial oversight to Australia's proposed Assistance and Access Bill.

OAIC received 31 notifications in the first three weeks of data breach scheme

The OAIC has revealed to ZDNet it has received 31 notifications since the Notifiable Data Breaches scheme came into effect last month.

OAIC received 114 voluntary data breach notifications in 2016-17

The office led by Information and Privacy Commissioner Timothy Pilgrim received 114 voluntary data breach notifications, 35 mandatory digital health data notifications, and 2,494 privacy-related complaints during the 12-month period.

Australian encryption-busting Bill fatally flawed: UN Special Rapporteur

United Nations Special Rapporteur on the right to privacy Joe Cannataci has called for Australia's proposed encryption-busting Bill to be set aside.

Australians made over 19K privacy principle enquiries in 2017-18

2,947 privacy complaints were also received by the Office of the Australian Information Commissioner.

Editorial standards