Computerworld

‘Cyber incidents’ leading cause of data breaches affecting Australians, OAIC says

Malicious acts rather than human or system error are the leading cause of breaches covered by Australia’s mandatory reporting scheme

So-called ‘cyber incidents’ continue to be a leading source of data breaches that threaten Australians’ privacy, according to figures released by the Office of the Australian Information Commissioner (OAIC).

The OAIC this morning released its latest quarterly report on the Notifiable Data Breaches (NDB) scheme. In the three month period ended 31 March the OAIC received 215 notices of breaches under the NDB scheme, which requires organisations to notify the commissioner and affected individuals if a data breach is likely to result in serious harm.

Sixty one per cent of the reported breaches related to malicious or criminal attacks. Of those 131 breaches, 87 — 66 per cent — involved ‘cyber incidents’, which the OAIC said includes phishing, malware, brute-force attacks, or compromised or stolen credentials. Other breaches involved insider threats (19), social engineering (7), or theft of paperwork or a storage device (18).

Human error accounted for 35 per cent of breaches overall, while 4 per cent were attributed to system faults.

The vast majority of the breaches involved contact information, but 46 per cent also included financial details, 26 per cent identity information, 29 per cent health information, and 17 per cent Tax File Numbers. Twelve per cent of breaches included “other sensitive information,” the OAIC said.

With 58 notifications provided to the OAIC, health service providers were the top sector for NDB-eligible breaches, followed by finance (27 notifications), legal, accounting and management services (23), education (19), and retail (11).

One known breach during the period covered by the report was ASX-listed retailer Kathmandu, which in March said that an “unidentified third party” may have had access to its online ecommerce website for over a month.

In a statement issued to the ASX the company said that during the period 8 January to 12 February “the third party may have captured customer personal information and payment details entered at check-out”.

The OAIC said that it intends to decrease the frequency of NDB reports from quarterly to every six months. 

Earlier this year the OAIC released its final report compiling 2018 NDB figures, revealing that last year it received 812 notifications under the mandatory reporting scheme.