Australian companies failing to slow the tide of data breaches: OAIC

Australia’s healthcare industry continued to be the most frequently-breached industry sector, as confirmed by new figures from the Office of the Australian Information Commissioner (OAIC) that found an average of 81 Australian businesses continue to suffer notifiable data breaches every month.

The OAIC’s second full-quarter report under the Notifiable Data Breaches (NDB) scheme found that the rate of eligible data breaches had remained consistent since the scheme took effect in February.

Some 245 data breaches were reported for the period from 1 July to 30 September, with 45 of those related to health service providers, 35 coming from the finance sector, and 34 from the legal, accounting and management services sector.

That was less than the 49 health-sector breaches reported in the last quarterly report, when finance operators reported 36 data breaches. Healthcare providers also topped the leaderboard in the OAIC’s first-ever report under the NDB.

More of the reported breaches were smaller in the most recent quarter, with 63 percent of incidents involving the personal information of 100 individuals or fewer and 41 percent involving 1 to 10 individuals.

Angelene Falk, Australian information commissioner and privacy commissioner, said in a statement that the continued high rate of data-breach reports was a sign that the NDB was working as intended.

“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” she wrote.

“Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.”

Malicious or criminal attacks were the cause of 59 percent of notified data breaches, with human error – most frequently, the emailing of personal information to the wrong recipient – responsible in 36 percent of incidents.

Contact information was compromised in 85 percent of incidents, with financial details lost in 45 percent and identity information compromised in 35 percent of cases. Also frequently lost were tax file numbers and health information, each compromised in around 22 percent of incidents.

The most common vector for compromise was through theft of user credentials, which were utilised by cybercriminals in 31 percent of incidents.

These credentials were most frequently compromised through phishing attacks – which were used in 20 percent of cases – but other unknown methods (7 percent) and brute-force attacks (4 percent) were also reported.

This came as no surprise to Sailpoint CEO and co-founder Mark McClain, who called the numbers “staggering” and warned in a statement that the figures confirm that Australian businesses “are struggling to see and understand the risks associated with compromised user credentials – an area of great interest to hackers today, and for good reason.”

The newly released quarterly report saw numerous reports of incidents that involved multiple entities, testing the extent of companies’ preparations in establishing clear procedures about the way data breaches are handled if third-party providers are used.

Third-party controls remain a significant weak spot, and a source of confusion as companies work to back their strengthened cybersecurity defences with actionable policies that meet their NDB obligations.