The Office of the Australian Information Commissioner (OAIC) recently released its third quarterly report in relation to data breaches notified under the Notifiable Data Breach (NDB) Scheme between 1 July and 30 September 2018. For this quarter, the OAIC received 245 data breach notifications which is on par with the previous quarter. With this being the second full quarter report released by the OAIC, it is becoming easier to recognise certain trends in data breach incidents.
Statistics
The graph below shows the number of individuals affected by breaches during:
- July to September 2018 in red (Third Quarter) and
- April to June 2018 in black (Second Quarter)
Despite some media reports suggesting that every data breach affects a large portion of Australians, the OAIC report indicates that the majority of data breaches only involve the personal information of 100 individuals or less (62 percent). This majority becomes even larger when considering cases involving equal to or less than 1000 people (86 percent). This percentage is relatively consistent across all three reports published so far.
Similar to the second report, the top five kinds of personal information involved in data breaches continue to be:
- Contact information (85 percent)
- Financial details (45 percent)
- Identity information (35 percent)
- Health information (22 percent)
- Tax File Numbers (22 percent)
- Other sensitive information (7 percent)
Unsurprisingly, contact information, such as address or phone numbers is compromised in most data breach incidents. Where this becomes particularly concerning is where contact information overlaps with financial details, identity information and health information. Since reporting began, approximately:
- 40% of breaches involved financial details
- 33% of breaches involved identity information and
- 27% of breaches involved health information.
Industry breakdown
Each quarterly report highlights the top five industries that report notifiable breaches. Across all three reports so far, the Private Health, Finance, and Legal, Accounting and Management Services sectors continue to be the top three sectors with the most reported breaches. Whilst breaches reported in the Health sector are the most common, they have decreased slightly since the last report. In contrast, as shown in the graph above, breaches reported in the Legal, Accounting and Management Services sector have increased by 70 percent during this quarter.
Source of breaches
The report shows that human error and malicious or criminal attacks continue to be the most frequent causes of reported breaches.
Data breach involving some form of human error continue to be prevalent. In practice this can be as simple as sending an email to the wrong recipient, or clicking on an attachment to an email infected with a virus or inadvertently providing login credentials to cyber criminals.
As a means to mitigate risk, we strongly recommend that organisations provide regular training to staff on cyber risk generally and in particular on how to spot and avoid the varying types of cyber risk.
For readers looking for more information on the NDB Scheme, we have prepared a series of blogs on different aspects of the new law to assist you understand how it works and what your obligations may be in the case of a data breach. Our previous blogs can be accessed via the following links: