On 27 August 2019, the Office of the Australian Information Commissioner (OAIC) released its latest quarterly report into the Notifiable Data Breaches (NDB) regime with national figures confirming that one in three breaches last quarter were caused by compromised credentials (passwords).
The Report comes as new research suggests the annual cost of worldwide data breaches will exceed $5 trillion by 2024 1. The whitepaper, released by UK research body Juniper Research, suggests the increase will "primarily be driven by increasing fines for data breaches as regulation tightens", with the majority of breaches expected to target small to medium sized enterprises who lack the financial capacity to adequately invest in cyber protection.
What is causing the breaches?
The Report covers the 1 April to 30 June 2019 reporting period, during which there were 245 breach notifications made, a 14 per cent increase on the previous quarter. Consistent with past reports, the results indicate that human error continues to be a key contributor to eligible data breaches, with simple mistakes such as sending information to the wrong recipient or the loss or accidental publication of information accounting for 34 per cent of breaches. Malicious or criminal attacks (such as phishing, hacking, compromised credentials, insider threats or theft) accounted for 61 per cent, with a mere four per cent attributable to system errors.
Which industries are being targeted?
The health and finance sectors continue to be the primary targets and victims of data breaches, making up 19 per cent and 17 per cent of the total breaches. The legal, accounting and management industries came in third with 10 per cent, followed by education and retail. This is consistent with past trends and reflects the sensitive (and value) of the information held by health and finance organisations.
The majority of the breaches in the reporting period affected the personal information of 100 or fewer individuals (62 per cent), with only eight breaches affected over 10,000 individuals.
What's the lesson for business?
The risks posed by malicious cyber actors are continuously evolving and becoming ever more sophisticated, and requiring ongoing and adaptive solutions and approaches to risk management. However, the human error component is both stubbornly consistent and persistent. As noted by Juniper Research in its The Future of Cybercrime & Security: Threat Analysis, Impact Assessment & Mitigation Strategies 2019-2024 whitepaper, while cyber security has become embedded in most corporate cultures and structures, it is not necessarily filtering through to system users.
The failure to update passwords, to properly redact or dispose of personal information or to accurately address an email continues to be a key source for data breaches, but it is also one which can and should be addressed and mitigated. Ensuring that staff are properly trained to identify high-risk emails, integrating appropriate safeguards into information management systems (e.g. dual authentication) and shifting high volume data processing tasks from a manual to an automated process can all help reduce your risk of a breach, and potentially represent a more efficient spend of your cyber risk budget.
When is the next report?
The Report is the OAIC's latest (and last) quarterly NDB report before it moves to a bi-annual reporting cycle. It's unclear whether this was a decision taken by OAIC based on the consistency of reporting results rendering quarterly reports gratuitous, or the result of limited resources. While the most recent federal Budget included a $25 million funding increase to the OAIC over the next three years, this pales in comparison to the $400 million (a 25 per cent increase) and $150 million in additional funding allocated to Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) respectively.
The consistent message, out of the current and previous reports, is that business needs to invest not only in technology and security but also in staff training – upskilling your workforce in privacy awareness and basic security may be your best defence against a potential breach.
1Juniper Research, https://www.juniperresearch.com/press/press-releases/business-losses-cybercrime-data-breaches, 27 August 2019.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.