Many readers will be aware that the mandatory data breach reporting requirements in Australia have been in operation since February of 2018. In September last year Holman Webb reported on the statistics provided by the Office of the Australian Information Commissioner relating to the quarter ending July 2018.
So, how are things looking 18 months into the operation of the mandatory reporting regime?
The statistics show that:
- There have been over 1,270 notifications;
- Only 4% arise from systems errors;
- 36% of breaches arise from human error (including misdirected emails, wrongfully copying in people to emails, paperwork being lost, insecure disposal of personal information and loss of devices on which data is stored);
- 25% relate to the disclosure of information relating to one person only; and
- With respect to cyber incidents:
- 36% arise from phishing emails
- 29% from stolen or improperly used access details
- 7% from Malware
- 7% from Ransomware
- 9% for brute force attacks.
The lesson to take from the above is that your staff are still key when it comes to data security. If we broaden the definition of staff conduct to include wrongfully opening phishing emails, and allowing the release of their passwords and other access information, then the reality is that at least 50% of all breaches arise from staff conduct.
For those wanting to ascertain whether there are any trends, the raw statistics per quarter are:
Attributes and Results of Security Breaches
|QT Ended||Number of Notifications||Human Error (%)||Fault in IT Person ONLY (%)||Affecting 1 person ONLY (%)||Release or Access of Contact Info (%)||Release or Access of Financial Info (%)||Release of Access to Health Info (%)|
Specified Human Error
|QT Ended||Data Emailed, Mailed, or Faxed to Wrong Recipient (#)||Emails in which sender failed to use BCC (#)||Loss of paperwork, insecure disposal, or loss of storage device (#)|
|QT Ended||Phishing Emails (%)||Ransomware (%)||Malware (%)||Brute Force Attacks (%)||Via or Compromised Credentials (%)|
Top 5 Industries Affected by Breaches (# of Notifications)
|QT Ended||Health Service Providers||Finance||Legal/Accounting and Management||Education||Business Professional Association|
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.