The Office of the Australian Information Commissioner (OAIC) released their Notifiable Data Breaches Quarterly Statistics Report for last quarter.
The report outlines information and trends associated with notifications received by the OAIC under the Notifiable Data Breaches scheme.
There were 242 notifications over the quarter, with 59% caused by malicious or criminal attacks, 36% caused by human error and 5% attributed to system faults.
Malicious or criminal attacks include phishing, ransomware, malware, stolen or hacked credentials, and any kind of social engineering or impersonation.
Human error can include accidentally sending an email containing information to the wrong person or unintended release or publication of personal information.
The majority of the information affected by the breaches is simply contact information. It’s important to remember that it’s not just details such as credit card numbers, but home address, phone number and email address count as sensitive information that falls under mandatory reporting.
This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as passport number, driver’s licence number or other government identifiers.
It’s important to remember that a data breach can be as simple as accidentally sending contact information to the wrong email, or as serious as a hacker gaining access to financial information like credit card details. Under the Mandatory Data Breach laws, both of these incidents are reportable.
If a data breach is found to have occurred you have a maximum of 30 days from when you became aware of the breach to notify affected parties. You can notify affected parties either directly (email, phone) or indirectly (notification on your website). You must also notify the Office of the Australian Information Commissioner (OAIC).
The following should be included in your notification:
Organisations must respond swiftly in the event of a breach. A well-documented and annually tested business continuity plan should be in place and understood by key members of the organisation who are required to act at the time of an incident.
To help prevent a data breach, businesses should be taking a proactive approach to their cyber security by conducting regular security health checks. This should include looking at where and how your data is stored, what applications are in use and who has access to different areas of the network.
One of major threats out of the report is basic human error. While we can never fully take away the risk of a person making a mistake, we can implement sound training programs to help mitigate the risk. Continual training and testing can improve the skills employees need to identify different risks like phishing emails, and keep cyber security and its importance top of mind.