Mishandling of personal data by staff and customers remains the number one cause of cyber breach incidents within Australia, with the latest figures from the Notifiable Data Breaches (NDB) scheme report revealing the rate of data loss incidents has worsened over the six months to June.
 

The quarterly report from the Office of the Australian Information Commissioner (OAIC), which recorded NDB incidents between April and June, showed roughly one in three data breaches were a direct result of compromised credentials, using customers’ login and password information to gain unauthorised access to personal information.

Individuals falling prey to phishing emails or reusing passwords across multiple services were among the primary causes of these compromised account breaches, the report revealed.

‘Malicious or criminal attacks’ accounted for an overwhelming 62 per cent of the 245 total data breaches identified in the April-June quarter, with ‘human error’ representing 34 per cent. ‘System faults’ – defined as a business or technology process error not caused by direct human error – accounted for just 4 per cent of breaches.

Nearly 70 per cent of malicious incidents involved a cyber element – most of which were the result of phishing (44 per cent) or compromised or stolen credentials (31 per cent). Brute-force attacks represented less than five per cent of these incidents.

‘Cyber incidents’ were defined by the OAIC as attacks specifically targeting computer information systems, infrastructures, computer networks, or personal computer devices.

The results of the OAIC report come in the wake of the headline-grabbing breach affecting the PayID fast payments network, with more than 90,000 customers from the Credit Union Australia reported to have had their personal information compromised.

The breach reportedly exposed full names, PayID nicknames, mobile numbers, BSBs, and account numbers of customers. 

Nevertheless, despite the notoriety of these large-scale breaches, a substantial majority (62 per cent) of NDBs in this period involved personal information from 100 individuals or fewer.

While the private health sector came out an ignominious top of OAIC’s industry breakdown for total NDBs, accounting for 19 per cent of compromised data events, the finance sector fared little better, representing 17 per cent of these incidents.

Of these, ‘malicious or criminal attacks’ made up the bulk of the 42 breach incidents impacting the financial services industry, representing exactly half of all reported incidents. ‘Human error’ accounted for 18 incidents, with just three ‘system faults’ recorded in the report.

However, it should be noted, notifications made under the My Health Records Act 2012 were not included in the OAIC report as they remain subject to specific notification requirements set out in the Act.

The perennially targeted health and financial service sectors were followed by the legal, accounting and management services sector (10 per cent), the private education sector (9 per cent), and retail sector (6 per cent). Overall, the total of 245 data breaches between April and June is a slight increase on the previous quarter but remains in line with the average for all quarters.

Australian Information Commissioner and Privacy Commissioner Angelene Falk, responding to the increasing incidence of human-originated breaches, urged organisations to increase training and awareness of cyber risks among staff and customers.

With the NDB scheme now widely accepted among industry, Commissioner Falk said the onus is now on organisations to further commit to best practice in combatting data breaches and improving response strategies.

“Effecting change in practices to prevent breaches is vital to the goal of protecting the community. Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”