The Privacy Commissioner has published the Notifiable Data Breaches Scheme report for the period from 1 January to 30 June 2021.
The OAIC received 446 data breach notifications from January to June 2021, with 43% of these breaches resulting from cyber security incidents.
Data breaches arising from ransomware incidents increased by 24%, from 37 notifications last reporting period to 46.
Key findings for the January to June 2021 reporting period were:
- Malicious or criminal attacks remain the leading source of data breaches, accounting for 289 notifications (65% of the total), down 5% in number from 304.
- Data breaches resulting from human error accounted for 134 notifications (30% of the total), down 34% in number from 203.
- The health sector remains the highest reporting industry sector, notifying 19% of all breaches, followed by finance, which notified 13% of all breaches.
- Contact information remains the most common type of personal information involved in data breaches.
- 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.
The report highlights the risks of impersonation fraud and ransomware.
Impersonation fraud involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location.
The OAIC said entities should have controls and identity verification processes in place to minimise the risk of impersonation fraud. However, the growth of data on the dark web has meant that malicious actors increasingly hold sufficient personal information to circumvent these controls and processes and successfully impersonate an account holder.
The OAIC has been advised of data breaches resulting from a malicious actor calling a service provider’s customer helpline or contact centre, impersonating a customer, and passing the organisation’s verification processes. The impersonator is then able to login to online accounts, update the customer’s personal information, make fraudulent transactions, and potentially obtain additional personal information that enables them to commit further impersonation fraud.
The OAIC generally considers impersonation fraud to be an eligible data breach under the NDB scheme where the personal information the entity holds is accessed by a third party and results in a likely risk of serious harm. This satisfies the test of an unauthorised disclosure, even when the malicious actor already held some of the personal information.
During the reporting period, the OAIC said a number of entities assessed that a ransomware attack did not constitute an eligible data breach due to a ‘lack of evidence’ that access to or exfiltration of data had occurred.
An assessment of a suspected data breach under section 26WH of the Privacy Act is required if there are reasonable grounds to suspect that there may have been an eligible data breach, even if there are insufficient reasonable grounds to believe that an eligible data breach has occurred.
The OAIC says it is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred. Where an entity cannot confirm whether a malicious actor has accessed, viewed or exfiltrated data stored within the compromised network, there will generally be reasonable grounds to believe that an eligible data breach may have occurred and an assessment under section 26WH will be required.
Given the prevalence of ransomware attacks, the OAIC expects entities to have appropriate internal practices, procedures, and systems in place to undertake a meaningful assessment under section 26WH. As best practice, entities should:
- have appropriate audit and access logs
- use a backup system that is routinely tested for data integrity
- have an appropriate incident response plan
- consider engaging a cyber security expert at an early stage to conduct a forensic analysis if a ransomware attack occurs.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.