A landmark Office of the Australian Information Commissioner (OAIC) fine on the Department of Home Affairs, handed down after an investigation into a February 2014 data breach, suggests that the 539 data breaches reported during the second half of 2020 alone could cost compromised businesses billions of dollars in fines—$86 billion, in fact—on top of the direct damages and business interruption.
In a data-breach environment where penalties have been few and far between, the Home Affairs fine marks a significant step by putting hard dollar figures on the cost of a data breach, which continue to plague Australia, both within government and across businesses.
Extrapolated to the figures contained in the OAIC’s latest statistics on the operation of Australia’s Notifiable Data Breaches (NDB) regime, the figures suggest that just the fines for the data breaches—as separate from their impact on the operations of the compromised businesses—would be substantial if affected individuals were compensated in a similar way.
Calculating the fine for a data breach
Under the terms of a formal OAIC determination, the Department of Home Affairs was ordered to pay anywhere from $500 to more than $20,000 to each of 1,297 asylum seekers whose identities were compromised when the department accidentally published their details online.
Compromised personal information—including full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details, and the reasons the individual was declared an “unlawful non-citizen”—were all published, and a complaint was lodged with the OAIC in August 2015.
The leak actually included the details of all 9,258 individuals who were in immigration detention at the time, but compensation was limited to the 1,297 class members who made submissions substantiating their loss due to the data breach.
Loss, for the purposes of the decision, includes “any kind of physical or emotional harm, including stress and anxiety, or any negative impact on your mental or physical health as a result of the data breach,” the OAIC advised potential claimants. “It can include injury to feelings or humiliation. It can also include financial harm.”
A five-tiered compensation system includes providing from $500 to $4,000 for people who suffered “general anxiousness, trepidation, concern, or embarrassment”; from $12,001 to $20,000 for people suffering “development or exacerbation of a mental health condition as a result of the data breach, resulting in a referral to a mental health specialist for treatment; and more than $20,000 for those suffering “extreme loss or damage”.
Based on those criteria, Australian Information Commissioner and Privacy Commissioner Angelene Falk concluded after a five-year investigation that the department “has engaged in conduct constituting an interference with the privacy of class members when it acted in contravention of IPPs 4(a) and 11.” Information Privacy Principles (IPPs) were superseded by Australian Privacy Principles (APPs) in 2014, but were in effect at the time of the breach.
The similar APP 4 deals with the management of unsolicited personal information, while APP 11 deals with security of personal information—mandating that organisations holding personal information must take “such steps as are reasonable in the circumstances to protect the information” and destroy the data when it is no longer needed.
The huge potential for breach fines
Read in the context of the Department of Home Affairs penalties, the size of the newly reported breaches suggests that those breaches could expose companies to billions of dollars in fines if they were investigated in the same way.
The OAIC noted 11 breaches in which records relating to more than 100,000 individuals were affected, including three breaches involving 1 million to 10 million individuals and another breach affecting more than 10 million individuals.
Just these breaches compromised the data of at least 15 million individuals all told, while all told, the breaches affected more than 15.4 million individuals during the six-month reporting period.
If 14% of those individuals joined class actions against the companies responsible for their breaches—the same percentage as in the Home Affairs case—and the OAIC gave them similar penalties, those 2.2 million aggrieved citizens could have access to anywhere from $1.1 billion to $43.1 billion in compensation. That means Australian data breaches could incur up to $86.2 billion in OAIC penalties, if they were all prosecuted and compensated in the same way.
Although 68% of breaches involved 100 individuals or fewer, in this context the larger breaches represent a significant potential financial burden—on top of whatever damage may have been caused to the company and its operations.
Using these potential financial penalties may help CSOs substantiate a case for investments in proactive data protection—particularly as the accelerated digital transformation of 2020 gives way to expanded investment in infrastructure and applications this year.
“Attackers thrive during times of uncertainty, and 2020 delivered that in spades,” said Gary Jackson, vice president for Asia-Pacific at Tenable. “By and large, the MO for most cybercriminals—whether they be rogue actors or state-sponsored—is the path of least resistance: They’re getting in through the low-hanging fruit. Getting the basics right, addressing vulnerability patching diligently, and implementing the right security control has now become critical because the criminals aren’t going anywhere.”
Quantum of cyber loss: The sad statistics of Australian data breaches
The second half of 2020 saw 539 reported data breaches, according to the new Notifiable Breaches Report, bringing the year’s total to 1,051 reported data breaches.
Repeating a familiar refrain, healthcare providers were far and away the most compromised—with 123 reported breaches—while there were 80 breaches of finance companies and 40 of education providers.
Despite the increase in cybersecurity activity during the COVID-19 pandemic and awareness of remote working’s increased privacy risks, the total number of breaches was virtually identical to those of the second half of 2019—when 537 breaches were reported to the OAIC. Significantly, the OAIC “is yet to identify any information or incidents that conclusively prove a link” between the surge in human-error breaches and the shift to remote working.
Some 58% of attacks were attributed to malicious or criminal attack—down 1% year on year—while 38% were blamed on human error, up 18% over the previous figures.
The organisation also attributed the small decline in breaches caused by cybersecurity incidents, despite an overall surge in cybercriminal activity during the pandemic, to the fact that not all cybersecurity incidents constitute data breaches eligible under the NDB scheme. “More data and analysis are required before a view can be developed on the impact of remote working arrangements on the capacity of entities to securely manage personal information,” the report notes.
The relatively flat figures in the OAIC report may mask the true extent of the global surge in cybercriminal activity, said H. Daniel Elbaum, chairman Australian identity provider VeroGuard Systems. “If global trends apply, the number of records compromised may have increased at an alarming rate,” he said, citing findings of the global 2020 Year End Data Breach QuickView Report that “tells us that cybercriminals are becoming far more efficient with the number of records stolen—increasing by 141% in 2020 from the previous year despite a decline in the overall number of breaches.”
Based on global trends, he added, “it is probable that Australia will have seen a sizeable increase in economic impact from cybercrime. This is not evident when reading OAIC’s report.”