Malicious or criminal attacks accounted for the majority of data breaches reported to the Office of the Australian Information Commissioner in the three months to 30 June.
The OAIC today released its second report on the Notifiable Data Breaches (NDB) scheme. The report revealed that 59 per cent of the 242 breaches reported to the privacy watchdog during the quarter were attributable to malicious or criminal attack (36 per cent related to human error and 5 per cent to a system fault).
The overwhelming majority of those breaches — 97 — related to ‘cyber incidents’ (31 related to data or paperwork theft, seven to insider threats and seven to social engineering). The most common attack vector was credentials that were compromised or stolen by some unknown method — 34 per cent — followed by credentials compromised by phishing (29 per cent) and compromised by brute-force attacks (14 per cent).
As with the first report issued as part of the NDB scheme, the health sector dominated with the largest number of breaches. Forty nine of the breaches were reported by health service providers, followed by finance (36 breaches), legal, accounting and management services (20), education sector (19) and business and professional associations (15).
The NDB scheme commenced on 22 February, making the new report the first to cover a full quarter of operation.
The scheme obliges organisations to report data breaches to the OAIC and notify affected individuals when there is a risk of “serious harm”.
The NDB scheme covers businesses with annual turnover greater than $3 million. Also subject to breach reporting obligations are organisations that handle certain sensitive categories of data, such as health-care providers, and Commonwealth entities.
“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” said acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk.
“Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.”