The Office of the Australian Information Commissioner (OAIC) publishes periodic statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 July 2019 to 31 December 2019.
Key findings for the July to December 2019 reporting period:
- 537 breaches were notified under the scheme, up from 460 in the previous six months
- Malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 64 per cent of all notifications
- Data breaches resulting from human error account for 32 percent of all breaches, down from 34 per cent in the last reporting period
- The health sector is again the highest reporting sector, notifying 22 per cent of all breaches
- Human error caused 43 per cent of data breaches in the health sector, compared to an average of 32 per cent across all notifications
- Finance is the second highest reporting sector, notifying 14 per cent of all breaches
- Most data breaches affected less than 100 individuals, in line with previous reporting periods
- Contact information remains the most common type of personal information involved in a data breach.
The Notifiable Data Breaches Report shows health service providers continue to report more data breaches to the OAIC than any other sector. Following the release of a Guide to health privacy, the OAIC has published a four-step action plan specifically aimed at the health sector to help them contain and manage data breaches, including those involving the My Health Record system. The resource has been developed in partnership with the Australian Digital Health Agency, Australian Cyber Security Centre and Services Australia
INDUSTRY COMMENTARY
Lindsay Brown, VP of Asia Pacific and Japan, LogMeIn
The first biannual update of the OAIC Notifiable Data Breach is evidence that passwords and credentials continue to be mismanaged in the workplace. What’s most concerning is the vast majority of cyber incidents (74%) reported by the top five industry sectors are linked to phishing or compromised credentials.
Evidently, the threat to the digital landscape continues to worsen and organisations must be keenly aware of the importance of their employees using strong credentials. The figures are hard-hitting facts that business leaders need to take into account when educating employees on the importance of appropriate security hygiene and establish requirements such as minimum length and complexity for items like passwords. Clearly the standard approach of employee security training with no tools to support behaviour change is failing businesses across all sectors.
Business leaders should explore password management, single-sign-on (SSO) for apps, and multi-factor authentication (MFA) (or biometric based solutions) to keep an organisation’s credentials secure. Using a comprehensive Identity solution such as LastPass, introduces new ways for employees to securely log in to their apps and devices without a password in sight, thus eliminating many password-related risks, leading to higher security and employee productivity, while also freeing up resources for IT. It’s no longer enough to approach digital security with a reactive stance.
Terry Burgess, Vice President, APJ, at SailPoint
“The most recent OAIC Notifiable Data Breaches report shows the number of data breaches reported has increased. Australian organisations are on average reporting 90 breaches per month; malicious or criminal attacks continued to account for the highest proportion of notifications over the past six months, followed by human error; and health service providers, finance, and education organisations make up the top three sectors by notifications.
Data breaches are an imminent threat to Australian organisations—indeed, last year cybersecurity was highlighted as a top 10 risk globally.
As the saying goes, ‘prevention is better than a cure’. Business leaders need to prepare for imminent breaches by investing in appropriate cybersecurity defences and staff education. Companies should begin training employees to be more aware of the risk of data breaches; this can be as simple as encouraging employees to change their passwords frequently. Ultimately, good policy and future investments in cybersecurity are contingent upon business leaders having a clear picture of the risks to make informed decisions. As threats are increasing, business leaders need to put effort into continuously improving their companies’ cybersecurity postures to reduce the possibility of becoming a statistic.”
John Donovan, Managing Director ANZ at Sophos
“2020 marked the turn of a new decade, but sadly not a change in fortune for the finance sector which has again suffered the second most data breaches according to the OAIC. The sector’s long reign near the top indicates a need for radical change when it comes to cybersecurity.
Firstly, the industry must invest in the right cybersecurity technology to ensure it has the ability to thwart any malicious or criminal attacks, as they accounted for 52 per cent of finance’s 77 data breaches over the last six months. Additionally, finance professionals must increase their understanding of cybersecurity. Alarmingly, 39 per cent of the sector’s data breaches were a result of human error, indicating more training and awareness must be done to develop a more cyber-aware culture.
Australians trust the finance sector with PII (personally identifiable information) like names and addresses, but also confidential information such as bank details and credit scores. It’s time for the industry to repay this faith and do more to protect Australians’ information.”
Simon Howe, Vice President Sales Asia Pacific, LogRhythm
“This report suggests that businesses continue to be a very attractive target for cyber criminals due to the large amounts of sensitive customer data collected and stored. Increasingly organisations of any size must be aware of the evolving types of threats and the vulnerabilities that exist across their networks in order to protect customers’ data. Security awareness programs are a great help in this regard, especially those that this report suggests focus specifically on phishing awareness.
“At the same time, security visibility and monitoring of systems, even those hosted outside of a network, are critically important. Organisations should also increasingly look at their security supply chain and include security controls and protections within contracts when partnering with third parties. This will not only limit a company’s liability if a breach were to occur, but it will also test the third party’s adherence to those controls and enable a company to monitor the controls themselves.
“As in previous years, when there is detection of a breach, rapid incident response can mean the difference between a damaging data breach and quick containment. As they look at their investment dollars in 2020, decisions makers would be well advised to put in place advanced security tools that automate common investigation tasks and streamline remediation and response in order to halt a breach immediately and in real-time.”
Mark Perry, Asia Pacific Chief Technology Officer, Ping Identity
“It’s clear from the report that organisations are not doing enough to close the major attack vector that leads to data breaches, namely compromised credentials. At the same time, for attackers right now, phishing is low-hanging fruit, enabled by simple and out-dated authentication methods. Multi-factor authentication really needs to be considered as an essential component of a cybersecurity strategy, for both employees and customers, especially for email accounts.
“Going passwordless is another option, well supported by industry solutions. The FIDO2 standard has been designed to mitigate phishing attacks and should be considered as a replacement for a One-Time code delivered by email or SMS, which are inherently less security. The report also appears to suggest that the healthcare sector in particular needs to embrace modern, secure authentication solutions to safeguard personal and sensitive data.”
Jim Cook, ANZ Regional Director, Attivo Networks
“The report identities credential theft as of major appeal to today’s hackers and suggests that against this backdrop, organisations can ill afford to be complacent about their security posture or assume traditional cyber-security measures will continue to answer. The threat posed by cyber-crime is rising and, as organisations continue to digitise, traditional perimeter-based cyber-security strategies will no longer be completely reliable or adequate.
“Businesses need to have real-time monitoring and clear visibility into their operations so they can rapidly detect and neutralise security threats. As a result, they may now need to focus on how they manage their security challenges head-on by making every network element part of a deception fabric to disrupt an attacker’s ability to break out and further infiltrate the network. Indeed, luring adversaries into the open with deception technology can prevent them from gaining access to critical IT data and assets and ultimately reduces the occurrence of disruptive and costly incidents which businesses of all sizes can ill afford to weather.”
Mark Sinclair, ANZ Regional Director, WatchGuard Technologies
“This latest report from the OAIC comes at a time when cyber security, or the lack of it, has gone mainstream. A day doesn’t seem to go by where the general public doesn’t hear of some new data breach, ransomware attack, company network compromise, or state-sponsored cyber-attack. Meanwhile, thanks to Facebook, consumers have also become intimately aware of how their own personal data privacy contributes to their own security.
“This Notifiable Data Breaches report data highlights the treasure trove of personal information held in email accounts and contact lists that attackers are exploiting more and more often. Protecting email credentials has never been more important and multi-factor authentication (MFA) should now become a standard security control for businesses in 2020. Indeed, the Australian Cyber Security Centre lists multifactor authentication (MFA) as a key counter-measure to protect again the exploitation of stolen credentials as part of its Essential Eight. MFA is a highly effective and easy to implement solution that will render a phished username/password useless. All Australian businesses should have MFA high on their cyber security shopping list if they don’t have it implemented already. At the same time, businesses should remember that good security hygiene is often more about sustained behaviours than any one mistake or decision. “
Budd Ilic, ANZ Country Manager, Zscaler
“Despite large sums of money being invested in security, the report paints an alarming picture of the increasing number of notifications. This implies businesses are not keeping up with the increasing sophistication of phishing and other cyber attacks. Every business leader should read the report and review their cyber security governance posture in the light of these results. At the same time, they should focus effort on developing and integrating a risk management program across platforms and cloud and ensure that their investments are regularly reviewed and aligned to the current threat environment so that they don’t run afoul of compliance, laws and regulation.”