Financial sector called out for laggard NDB response, May sees massive spike in data breaches

May saw a record monthly spike in cyber breach reports made as part of the Notifiable Data Breach (NDB) scheme, as staff security lapses and Covid uncertainties continue to plague Australian organisations.

Australia’s Office of the Information Commissioner (OAIC), which oversees the NDB scheme, received 124 breach notifications in May alone – a 33 per cent increase on the monthly average.

The breaches, a significant proportion (39 per cent) of which were reportedly down to human error, occurred during the height of Australia’s initial Covid lockdowns and transition to work from home operating models. However, the OAIC stressed that no specific cause for the increase has been identified, with no evidence that Covid-19 materially “[changed] business practices”.

Across the six-month reporting period (January to June 2020), a total of 518 breach notices were made to the OAIC.

While this figure is 3 per cent down on the previous reporting period, it is still 16 per cent higher than year-on-year NDB rates.

The health sector once again bore the brunt of cyber breaches, representing nearly a quarter (22 per cent) of all breach notifications across the six-month reporting period.

Finance (including banks, wealth managers, financial advisors, superannuation funds and consumer credit providers, but excluding insurance organisations) was again the second-highest reporting sector, representing 14 per cent of all breach notices (75 reports in total), a figure consistent with the previous six-month reporting period. Insurers, which are measured separately, reported 35 breaches, accounting for 7 per cent of notices across all industries.

Nearly two-thirds of notifications from financial companies were the result of malicious or criminal attacks (44 notifications).

The vast majority of malicious breaches within the finance sector were the result of “cyber incidents”, including phishing (10 notices), hacking (seven notices), and compromised or stolen credentials (five notices).

Anti-malware controls appear to be strong for FSIs, with zero reported breaches resulting from malicious software.

Human error, however, continues to trouble the financial sector, with one in three breach notifications (a total of 25 notices) reportedly due to personal data being sent to the “wrong recipient” (via email or post) or through “unauthorised disclosure”, mostly owing to organisations’ failure to de-identify personal information.

“System faults” accounted for six cases of unintended release or publication of data by financial services organisations.

Slow response times

The finance sector was singled out in for its laggard post-breach reporting response time, with more than one in three (35 per cent) reporting entities failing to notify the OAIC within the mandated 30-day notice period following identification of a breach.

Average compliance with the 30-day notice period was 74 per cent across all industries, 9 per cent higher than the finance sector.

Australia’s Privacy Act requires entities to carry out an assessment of a data breach within 30 days of becoming aware of “reasonable grounds to suspect that there may have been an eligible data breach”, the OAIC said in its NDB report. The Office of the Information Commissioner, as well as those individuals affected by the breach, must be notified “as soon as practicable” after an organisation confirms a data breach has occurred.

While the vast majority (84 per cent) of all reported data breaches notified under the NDB scheme from January to June 2020 involved ‘contact information’, including individuals’ home addresses, phone numbers or email addresses, more than a third of notifications involved more sensitive ‘identity information’, including passport numbers, driver licence numbers or other government identifiers.

Data breaches notified in this period also involved tax file numbers (17 per cent), financial details, such as bank account or credit card numbers (37 per cent), and health information (26 per cent).

The Notifiable Data Breaches scheme was established in early 2018 in an effort by the Australian Government to improve consumer protection and drive better security standards to protect personal information.

The NDB applies to agencies and organisations that are covered by the Privacy Act 1988 and are required to take reasonable steps to secure personal information.