According to the most recent Notifiable Data Breaches Report published by the Office of the Australian Information Commissioner (OAIC) data breaches rose considerable in the most recent quarterly reporting period.
With an eye toward helping organizations better understand the cause of data breaches, and presumably avoid them, every quarter the OAIC has published data breach notification statistics as required by regulatory mandate. Going forward the office will publish data breach statistics every six-months. In the first quarter of 2019 there were 215 reported breaches, compared to 245 reported data breaches in the second quarter.
According to the report, the majority of breaches (62%) reported involved personal information of 100 or fewer people. In 42% of reported breaches, 10 or fewer were compromised.
While most of the breaches involved contact information (90%), financial information was involved in 42% of breaches, identity information in 31%, and health information in 27%. One hundred fifty-one breaches were considered intentional attacks, and human error 84, the remaining ten were caused by system faults.
While criminal attacks are obviously intentional, the report stated that “many incidents in this quarter exploited vulnerabilities involving a human factor. This included individuals clicking on a phishing email or use of credentials that had been compromised or stolen by other means (such as in another data breach) to obtain unauthorized access to personal information.”
Criminal attacks were the largest source of data breaches this quarter, reaching 62% of data breaches reported. Of those, 69.5% involved phishing, malware, ransomware, brute-force attacks, or compromised or stolen credentials. “Theft of paperwork or data storage devices was another source of malicious or criminal attacks (14.5%). Other sources included actions taken by a rogue employee or insider threat (8%), as well as social engineering or impersonation (8%),” the report found.
“The second largest source of data breaches was human error, such as sending personal information to the wrong recipient via email (35%), unauthorized disclosure through the unintended release or publication of personal information (18%), as well as the loss of paperwork or data storage device (12%),” the report found.
According to the report, the unintended release of personal information impacted the largest number of people, with an average of 9,479 affected individuals per breach. “This is consistent with the previous quarterly trend. Failure to use BCC when sending emails impacted an average of 601 individuals per data breach,” the report said.
The clear majority of incidents (79%) involved compromised credentials, attained through phishing attacks, unknown methods or brute-force attacks. System error were the cause of 4% of breaches, and may have included a buggy website, or system faults that unintentionally disclosed personal information.
What vertical markets were breached? The top reporting vertical market was healthcare, which suffered 47 notifications “Of those notifications, 53 per cent of data breaches resulted from human error. Notifications from the second highest reporting sector, finance, indicated that 50 per cent of its data breaches resulted from malicious or criminal attacks,” the report said.
Legal, accounting and management services sectors, the education sector and the retail sector also all reported the majority of data breaches stemmed from criminal attacks.