Human error behind 74pc of govt data breaches: OAIC

OAIC Breach Report

Mishandling of personal information remains the leading cause of data breach incidents for Australian government agencies, but overall rates of reported data losses are declining, the latest figures from the Notifiable Data Breaches (NDB) scheme review reveal.

The half-yearly report from the Office of the Australian Information Commissioner (OAIC), which covers the six months to June this year, saw Australian governments place among the top five industry sectors to notify data breaches for the second time running.

Other sectors registering the highest number of data loss incidents include healthcare (85 breaches), finance (57 breaches), legal, accounting and management (35 breaches) and insurance (34 breaches), replacing education which featured in the prior reporting period.

Self-inflicted mishaps still appear to be plaguing government agencies. According to the OAIC, nearly three quarters (or 74 per cent) of the 34 breach notifications issued by government agencies were caused by “human error” – far above the 30 per cent industry-wide average observed by the information regulator.

This finding is, nevertheless, consistent with the regulator’s previous report, which covered the six months to December 2020, where human error accounted for 87 per cent of government breach incidents.

Notably, the most common misstep observed among Australian government personnel was in sending information to the wrong recipient (64 per cent) either by email, mail, or other means, followed by unauthorised disclosure of information (32 per cent).

Australian Information Commissioner and Privacy Commissioner Angelene Falk, responding to the incidence of human-originated breaches, urged organisations to increase staff training and strengthen technological controls.

“Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example,” Falk said.

While government appeared to be most plagued by personnel errors, ‘malicious or criminal attacks’ were cited by the other top five industry sectors as the leading contributor to data breach.

Overall, the OAIC received a total of 446 incident alerts between January and June this year – a 16 per cent decrease on the prior reporting period.

Of these incidents, those stemming from human error (134 cases) declined by 34 per cent, while those borne from malicious attacks (289 cases) and system faults (23 cases) declined by five and four per cent respectively.

Encouragingly, not a single system fault (which was most common in the finance sector) was registered by Australian government agencies as a cause for data loss.

Cyber-attacks leading to data loss

In terms of overall notifications received by the OAIC, close to half – and 66 per cent of incidents caused by malicious attacks – were the result of cyber incidents.

This represents a nearly 10 per cent increase on the prior reporting timeframe.

Reported cyber incidents comprised of phishing (30 per cent), compromised or stolen access credentials (27 per cent), ransomware (24 per cent), hacking (9 per cent), brute-force attack (5 per cent), and malware (5 per cent).

The OAIC flagged the spike in ransomware attacks, which jumped 24 per cent over the reporting period, as a “cause for concern”, noting the “difficulties assessing what data has been accessed or exfiltrated” following these breaches.

For this reason, according to the information regulator, entities may not be reporting all eligible data breaches involving ransomware, making this type of cyber scourge more common than it appears in these statistics.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network,” the OAIC said in a statement.

In addition to ransomware, the information regulator also flagged impersonation fraud – a type of social engineering – as a rising concern, where “growth of data on the dark web” was giving malicious actors enough personal information to circumvent traditional fraud monitoring controls.

OAIC’s report further noted the laggard reporting times of public sector entities, with just 35 per cent of Australian government breach notifications made within 30 days of entities becoming aware of incidents.

By contrast, this figure stood at 67 per cent for finance, while surpassing 75 per cent for industries including healthcare, insurance, legal, accounting and management.

At the same time, it was revealed that just 71 per cent of data breaches happening in government agencies could be identified (or, put another way, nearly one in three data breach incidents were not identified) within 30 days of an incident occurring.

By contrast, this figure stood at 91 per cent for the insurance, legal, accounting and management industry sectors, and 92 per cent for health. Finance, however, fared worse than government, with just 61 per cent.

OAIC’s latest NDB report can be accessed here.