The fourth quarterly Notifiable Data Breaches report from the Office of the Australian Information Commissioner (OAIC) shows 262 data breaches involving personal information were notified to the OAIC between 1 October and 31 December 2018.
The leading cause of notifiable data breaches in the December quarter was malicious or criminal attack (168 notifications, 64%), followed by human error (85 notifications, 33%) and system faults (9 notifications, 3%).
Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks.
The Notifiable Data Breaches October – December 2018 report shows 60% involved the personal information of 100 or fewer individuals, compared to 63% in the previous quarter.
The kinds of personal information (PI) involved in breaches included contact information (85%), financial details (47%), identity information (36%), health information (27%) and Tax File Numbers (18%)
Human errors included:
- Failure to use BCC when sending email;
- Loss of paperwork/data storage device;
- PI sent to wrong recipient (email) (27%);
- PI sent to wrong recipient (mail) (12%);
- PI sent to wrong recipient (fax);
- PI sent to wrong recipient (other);
- Unauthorised disclosure (unintended release or publication);
- Unauthorised disclosure (failure to redact);
- Unauthorised disclosure (verbal).
The top five sectors to report breaches were:
- Private health service providers: 54 reports;
- Finance: 40;
- Legal, accounting and management services: 23;
- Private education providers: 21;
- Mining and manufacturing: 12.
The highest reporting sector this quarter was the health sector (54 notifications). Of those notifications, 54 per cent of reportable data breaches resulted from human error. In contrast, notifications from the second highest reporting sector, finance, indicated that 70 per cent of its data breaches resulted from malicious or criminal attacks. In the finance sector 27% of reported breaches resulted from human error.
Of the top five sectors, only the finance and education sectors notified a data breach resulting from a system fault.