31 July 2020

An increase in data breaches caused by ransomware attacks and impersonation is among the key findings in the latest statistics report from the Office of the Australian Information Commissioner (OAIC).

The OAIC’s Notifiable Data Breaches (NDB) Report for January to June 2020 shows a slight fall in the number of eligible breaches reported (518) against the previous six-month period (532), but an increase of 16% compared to the same period last year.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said malicious or criminal attacks including cyber incidents remain the leading cause of data breaches involving personal information in Australia.

“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” Commissioner Falk said.

“This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible.”

The report shows the number of data breaches caused by ransomware rose from 13 in the previous six-month period to 33 between January and June, Commissioner Falk said.

“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, which is also of concern,” she said.

“This trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks.

“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”

Across the reporting period approximately 77% of notifying entities were able to identify a breach within 30 days of it occurring.

However, in 47 instances the entity took between 61 and 365 days to become aware and assess that a data breach had occurred, while 14 entities took more than a year.

“Organisations must be able to detect and respond rapidly to data breaches to contain, assess and notify about the potential for serious harm,” Commissioner Falk said.

“A number of notifications also fell short of the standards required, in failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm.

“In these cases, we required the organisation to re-issue the notification. We will continue to closely monitor compliance with assessment and notification obligations as part of our system of oversight.”

In other findings:

• The insurance industry entered the top five sectors for the first time since the report began, notifying 35 breaches
• Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors.
• The number of notifications resulting from social engineering or impersonation has increased by 47% during the reporting period to 50 data breaches
• Actions taken by a rogue employee or insider threat accounted for 25 notifications, and theft of paperwork or storage devices resulted in 24 notifications.

The number of notifications per month varied widely across the reporting period, ranging from 63 in January to 124 in May — the highest number of data breaches reported in a month since the NDB scheme began in February 2018.

While the increase coincided with widespread changes in working arrangements due to the COVID-19 outbreak, Commissioner Falk said the OAIC had not found evidence to suggest the increase in May was the result of changed business practices.

“The report shows that more human error data breaches were reported in May, accounting for 39% of notifications that month, compared to an average of 34% across the reporting period,” she said.

“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.

“Organisations must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.”

Read the Notifiable Data Breaches Report for January-June 2020.

---

Notifiable Data Breaches Report: January–June 2020

31 July 2020

The Office of the Australian Information Commissioner (OAIC) publishes periodic statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 January 2020 to 30 June 2020.

Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same data breach. Notifications relating to the same data breach incident are counted as a single notification in this report.

The source of any given breach is based on information provided by the reporting entity. Where more than one source has been identified or is possible, the dominant or most likely source has been selected for statistical purposes. Source of breach categories are defined in the glossary at the end of this report.

Consistent with previous NDB statistical reports, notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.

NDB notification statistics contained within this report relate to a specific point in time. Some recent notifications covered by the period of this report are under assessment and the status and categorisation of these notifications may change prior to the finalisation of their assessment. Similarly, there may have been adjustments to statistics from previous reports as a result of changes to the status or categorisation of individual notifications. As a result, references to historical data appearing in this report may differ from the information appearing in previous reports covering the relevant period.

Note: This report also contains a correction to data in the July–December 2019 NDB Scheme report published in February 2020. This report stated there was a 19% increase in the number of notifications received when compared to the previous six months. The correct figure was 17%.

Executive summary

The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. It applies to agencies and organisations who are covered by the Privacy Act 1988 andare required to take reasonable steps to secure personal information.

The OAIC publishes twice-yearly reports on notifications received under the NDB scheme to track the leading causes and sources of data breaches, and to highlight emerging issues and areas for ongoing attention by regulated entities.

There was a 3% decrease in the number of data breaches reported to the Office of the Australian Information Commissioner (OAIC) between January and June 2020, compared to the period from July to December 2019.

Key findings for the January to June 2020 reporting period:

• 518 breaches were notified under the scheme. This figure is down 3% from 532 in the previous six months, but up 16% on the 447 notifications received during the period January-June 2019.
• Malicious or criminal attacks (including cyber incidents) remain the leading cause of data breaches, accounting for 61% of all notifications
• Data breaches resulting from human error account for 34% of all breaches
• The health sector is again the highest reporting sector, notifying 22% of all breaches
• Finance is the second highest reporting sector, notifying 14% of all breaches
• Most data breaches affected less than 100 individuals, in line with previous reporting periods
• Contact information remains the most common type of personal information involved in a data breach.