Create a free account, or log in

Phishing emails and human error: Almost 1,000 data breaches reported in 12 months

There were 964 data breaches reported to the Office of the Australian Information Commissioner in the first year of mandatory reporting.
Stephen Easton
Stephen Easton
data breaches

There were 964 data breaches reported to the federal regulator in the first year of mandatory reporting rules, and โ€œmalicious or criminal attacksโ€ were behind 60% of cases, with most of the remainder caused by human error and only 5% blamed on malfunctions.

In 17% of incidents, information about more than 1000 people was nicked, and contact details were exposed 86% of the time. Dodgy emails were the most common method of attack. Successful attempts at phishing or spear-phishing (the more targeted kind) were the cause of 153 data breaches.

In 28% of incidents, the target had no idea how access credentials were obtained (possibly from a past mass data breach). While human error was blamed for 35% of reported breaches overall, it was the cause of 55% in the health sector, and 41% in the finance sector.

Most data breaches happened in the health sector, where accidents like sending information to the wrong address were more common than attacks. Next in line was finance, followed by professional services, both of which saw slightly more malicious activity than human error. System errors rarely led to data breaches anywhere.

The Office of the Australian Information Commissioner (OAIC) received a total of 1,132 notifications in the year to March 31, 2019 โ€” a massive 712% increase on 2017, under the previous voluntary reporting system. But not all counted as โ€œeligible data breachesโ€ under the law; 168 either came from entities that are exempt from theย Privacy Actย or did not meet the legislative criteria to be reported to the regulator.

Regulator leaves naming and shaming to the media

In the first year since the Notifiable Data Breach legislation took effect, information and privacy commissioner Angelene Falk has focused on encouraging better security practices and helping organisations comply with the regulations, which cover the private and public sectors.

She says the OAIC has โ€œexamined security practices and conducted inquiries to ensure containment, rectification and future mitigation of security risksโ€ in some cases. โ€œThere have also been times when further regulatory action has been necessary, including issuing a direction to notify under s 26WR of theย Privacy Act.โ€

Falk notes the scheme is expected to raise consumer confidence in the security of data people have already handed over to various organisations, and help them decide whether to trust โ€œparticular entitiesโ€ with their personal information in the future. But the OAIC rarely names the organisations that report data breaches.

The legislation doesnโ€™t allow her to do much naming and shaming but the commissioner hopefully suggests journalists can contribute towards these consumer-awareness outcomes.

โ€œWhile the NDB scheme does not generally permit the OAIC to publish details about which entities have reported eligible data breaches, there has been a sustained interest from the media in reporting data breaches over the year, which has meant that in many cases, entities that have experienced a data breach have been in the public eye.

โ€œThis has led to growing awareness of privacy rights and issues amongst consumers and the risks inherent in putting information online, as well as proactive measures that every person can take to protect themselves,โ€ she says.

Falkโ€™s office has observed some organisations improving privacy and security standards in response to the new regulations, and minimising the data they collect to reduce risk. She says the OAIC has been able to โ€œwork constructivelyโ€ with organisations when they have proactively come forward to discuss data breaches, or ask whether an incident meets the reporting threshold.

The commissioner reports โ€œsome maturation has been evidentโ€ in how organisations respond to data breaches over the year.

In the second year of the mandatory data breach reporting scheme, the OAIC will have higher expectations of organisations covered by the rules, in terms of their efforts to prevent breaches.

โ€œThis means taking reasonable steps to ensure that the necessary people, processes and technology are in place to prevent and respond to breaches. We also encourage entities to move beyond compliance to effectively support consumers.

โ€œWhile the law obliges entities regulated under theย Privacy Actย to provide transparent and useful information to consumers, it is those entities who focus on the consumer and navigate beyond compliance to support affected individuals to take steps to minimise or prevent harm in a meaningful way who will differentiate themselves and maintain trust over time.โ€

The commissioner reportsย the OAIC will take โ€œa proportionate and evidence-based regulatory approachโ€ going forward and use its enforcement powers if necessary.

Few consumers trust government with data

Government organisations barely rate a mention in Angelene Falkโ€™s report on data breaches, but even so, few consumers trust government organisations with their data, according to the latestย Deloitte Privacy Index.

The โ€œbig brandsโ€ in the government sector ranked eighth out of 10 sectors, based on a survey of 1000 people about how much they trust 100 well-known organisations with their privacy, conducted for the consulting firm by Roy Morgan Research.

This yearโ€™s questions focused on consumer attitudes about smartphone apps, and found trust in the brands behind them was the main factor in the decision to hand over personal information for 65% of people.

Almost half of respondents (46%) said they gave false information in apps due to privacy concerns and privacy policies were not accessible in 22% of apps produced by the โ€œtop 100 brandsโ€ surveyed. โ€œThis means that the basic transparency requirements of privacy law in Australia are not being fully met,โ€ comments the author of the report, David Batch.

Users could partially opt out of giving personal information to 59% of the apps, but only 21% of the organisations indicated the user could delete their personal data or ask for it to be deleted.

Deloitte makes much of the fact that 89% of respondents said they had denied permissions requested by apps to access their location, photos, contacts, camera or microphone, due to privacy concerns, and 63% have chosen to delete an app rather than grant the permissions.

When thereโ€™s no good alternative, however, most people just take the plunge despite their qualms.

โ€œThis yearโ€™s findings do indicate both a growing consumer awareness of, and ability to discern, good privacy practice,โ€ Batch said.

โ€œNevertheless, some brands have such great market share because they effectively monopolise the goods or services in high consumer demand in their sector. In this instance, consumers will still interact with that brandโ€™s app regardless of their level of trust in that brand.โ€

This piece was first published on The Mandarin. Read the original article.

NOW READ:ย Over 800 businesses hit by data breaches in 2018, including lost USB drives and fax machine fumbles

NOW READ:ย Bit by bit, day by day: How to play the long game with cyber security