Financial details lost in over 40pc of cyber breaches: OAIC

NDB scheme

Highly sensitive financial details, including bank account and credit card numbers, were exposed in 41 per cent of cyber breaches targeting Australian organisations that report to the Commonwealth’s Office of the Australian Information Commissioner (OAIC).

The OAIC’s half-yearly Notifiable Data Breach (NDB) scheme report, which covers the July to December 2022 period, showed a marked 26 per cent uptick in breach notifications by Australian organisations compared to the previous six-month period.

In total, the information commissioner received 497 breach notifications in the six-month reporting period, up from the 249 notifications received between January and June. (While this is a little way off from the record 539 notifications lodged in the July to December 2020 period, during the height of the Covid lockdowns, NDB rates have consistently trended upwards since early 2021).

The vast majority of breaches – 70 per cent, or 350 notifications – in the most recent half-year period were the result of malicious or criminal activity.

Out of the total 497 breaches reported, sensitive financial details were lost in 205 cases.

Unsurprisingly, contact information (88 per cent of breaches) and identity information (60 per cent of breaches) remain the most common bits of PII lost in cyber incidents.

FSIs, again, co-lead breach reporting stats

Health service providers (71 breaches, or 14 per cent of all notifications) and the finance industry (68 breaches, also representing 14 per cent of all notifications) once again reported the most data breaches of all sectors an order which has not changed since the NDB scheme began in mid-2018.

Insurance providers (representing 8 per cent of notifications), legal, accounting and management services (7 per cent) and recruitment agencies (7 per cent) made up the rest of the top 5 sectors by notifications.

More than two out of three (68 per cent) breaches of finance sector businesses (which includes banks, wealth managers, financial advisors, superannuation funds, and consumer credit providers, but excludes insurers) were the result of malicious or criminal attacks.

Human error represented a little under one in three (29 per cent) reported breaches by finance businesses – mostly the result of email mishaps or unauthorised disclosures.

The malicious breach rate was even higher for the insurance sector, with four out of five (79 per cent) insurance businesses reporting cyber breaches being the result of hacking activity.

Most malicious or criminal attacks targeting financial services were the result of what the OAIC classifies as ‘cyber incidents’.

Phishing (nine notifications), ransomware (eight notifications), brute force attacks (five notifications) and compromised credentials (three notifications) made up the bulk of such cyber incidents targeting financial services businesses.

However, the financial services sector was also inordinately impacted by social engineering and impersonation scams, with financial businesses reporting 15 such incidents while insurers reported a total of 17. By comparison, the health sector reported just one such incident.

Insurers were also most greatly impacted by compromised or stolen credentials, resulting in 12 reported breaches.

FSIs lag in identifying, reporting breaches

Most finance businesses (66 per cent) reported incidents to the OAIC within 30 days. Though they lagged considerably behind the health sector, with 80 per cent of health service providers notifying the OAIC within the advised 30-day timeframe.

Financial services businesses were also the slowest of the five sectors to identify breaches. Around 45 per cent of insurers and 25 per cent of financial businesses reportedly took more than 30 days to spot a breach.

Australian information commissioner and privacy commissioner Angelene Falk noted the significant increase in data breaches “impacting a larger number of Australians” in the latter half of 2022.

She urged all organisations to “take appropriate and proactive steps to protect against and respond to a range of cyber threats”.

“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.

The NDB scheme requires regulated entities to notify the Commissioner, as well as affected individuals, of ‘eligible data breaches’ – that is, a breach that is likely to result in serious harm to any of the individuals to whom the information relates.