Reported Data Breaches Rise 5% in AustraliaRegulator Says Rise Is Modest Considering Pandemic Work-From-Home Shift
The number of data breaches reported under Australia’s mandatory breach reporting law ticked up 5% in the second half of 2020, compared to the first half, with the healthcare industry continuing to be hit the hardest.
The Office of the Australian Information Commissioner received 539 notifications between July and December, up from 512 in the first half of the year, according to its new report.
Healthcare providers reported 133 breaches, followed by finance at 80; education, 40; legal, accounting and management services at 33; and the federal government at 33.
This marked the first time the Australian government entered the top five list of sectors reporting the most breaches, displacing the insurance industry. The federal government’s breach tally does not include intelligence agencies or state and local government agencies, public hospitals and public schools.
Under Australia’s notifiable data breaches law, organizations covered by the Privacy Act 1988 are required to report within 30 days breaches that are likely to result in “serious harm.” Fines for noncompliance can range up to 2.1 million Australian dollars ($1.6 million). The breach notification law went into effect in 2018 (see: Australia Enacts Mandatory Breach Notification Law).
Although breach notifications increased by 5%, the OAIC characterized that as a “modest” increase given the rising cybersecurity risks introduced by the rapid shift in early 2020 to working from home due to the COVID-19 pandemic.
But the OAIC cautioned that “more data and analysis are required before a view can be developed on the impact of remote working arrangements on the capacity of entities to securely manage personal information.”
The primary cause for data breaches remained the same during the latest reporting period: malicious or criminal attacks accounted for 58% of the incidents. Those attacks encompass phishing, compromised or stolen credentials, ransomware and social engineering.
“The most common method used by malicious actors to obtain compromised credentials was email-based phishing (54 notifications),” the OAIC says. "This confirms that email-based vulnerability is one of the greatest risks to information security facing organisations.”
Rogue employees or insider threats were listed as the cause for 35 breaches; that included illegal actions, such as theft of paperwork or storage devices.
One category of data breaches that saw a dramatic increase is human error, the cause of 38% of all breaches in the second half of last year. The OAIC says that 204 reports with that cause were filed, up 18% from the preceding six months.
“Common examples of human error breaches include sending personal information to the wrong recipient via email (45% of human error breaches), unintended release or publication of personal information (16%), and failure to use the ‘blind carbon copy’ function when sending group emails,” the OAIC says.
Neglecting to use blind carbon copy had a large effect: An average of 19,163 individuals were affected by a failure to use that feature, the OAIC says.
Managed Service Providers
A data breach may often affect two or more organizations, particularly when a managed service provider is involved. The OAIC says it suspects some managed service providers and their clients chose not to notify it of breaches despite other clients of the same MSP reporting an incident.
Generally, if an organization and an MSP have a breach, usually the entity that has the closest direct relationship with the affected individuals should make a report in cases where data is held jointly. Only one report for an incident needs to be made.
The OAIC says it has seen different approaches to multiparty breaches, some of which are inadequate. In some cases, the MSP managed the breach and notification, including notifying the OAIC and those affected. In other cases, the MSPs left it up to clients to make the notifications. That’s fine, the OAIC says, but “it is not without risk and may result in entities falling short of their obligations under the NDB scheme.”
The OAIC outlined a situation in which it was notified by multiple entities of a data breach that was the result of a single compromise of an MSP. The OAIC, however, suspected that several other entities were also affected, but it did not receive notifications. That was likely a violation of the Privacy Act, which the mandatory data breach provision falls under.
“Here, both the MSP and the MSP’s clients that did not notify the OAIC may have failed to meet their obligations under the Privacy Act,” the OAIC says.