• United States



by David Braue

At least 10m records compromised in single Australian data breach despite drop in NDB reports

May 16, 20193 mins
Backup and RecoveryBusiness ContinuityCareers

The number of reported Australian data breaches declined last quarter for the first time since the Notifiable Data Breaches (NDB) scheme began over a year ago – but a disproportionate number of healthcare breaches, and a surge in the proportion of malicious or criminal attacks, suggest that the change isn’t necessarily a sign that businesses are getting better about data security.

The Office of the Australian Information Commissioner (OAIC) was notified about 215 data breaches during the first calendar quarter of 2019, the latest Notifiable Data Breaches Quarterly Statistics Report revealed.

The volume of breaches – an average of 72 breaches per month – was down from 242 in the first full quarter of reporting – the period ending June 2018 – and 245 notifications in the first quarter of the current financial year.

The OAIC received 262 breach notifications in the last quarter of 2018.

John Donovan, ANZ managing director of security firm Sophos, was concerned that the healthcare sector – which reported 58 breaches, well ahead of finance (27), legal (23), education (19) and retail (11) – retained the dubious honour of being Australia’s most-breached industry.

“It is very concerning to see health service providers continuing to be targeted and successfully breached by attackers,” he said in a statement. “It goes without saying that this industry is dealing with incredibly sensitive and personal data and, as such, has a huge responsibility to the people of Australia to protect their data effectively.”

“The report serves as a reminder to the healthcare industry to implement robust security practices to protect the extremely sensitive data they are entrusted with.”

Companies still struggling to change risk profile

Yet while some 61 percent of breaches in the latest quarter were attributed to malicious or criminal attacks – up from 59 percent in earlier quarters – it appears Australian companies have failed to implement such practices.

Nor are they succeeding in reducing issues around human error – which accounted for 35 percent of breaches in the latest quarter.

Australian Information Commissioner and Privacy Commissioner Angelene Falk, in announcing the latest quarterly report, said the figures reflected “a clear trend towards the human factor” and warned companies that “after 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.”

The figures may be artificially low because they came during the annual summer holiday period, with just 62 breaches reported during January and 67 in February – a time when Australian systems administrators, and likely cybercriminals as well, are generally away from work for several weeks.

Breach volumes picked up again in March, when 86 breaches were reported.

More encouraging was the fact that the number of large breaches was down over previous quarters, with 88 percent of breaches involving 1000 records or fewer.

Yet there was one breach involving 10 million or more records – potentially involving half or more of Australia’s entire population – and 8 breaches that involved between 10,000 and 500,000 records each.

That means at least 10,451,843 records were breached during the quarter.

Fully 186 breaches (86.5 percent) involved contact information, while 98 breaches (45.6 percent) involved financial details and 63 (29.3 percent) involved health information.

With so much sensitive data being compromised, the continuing role of human error was noteworthy, Bitglass Asia Pacific vice president David Shephard said in a statement in which he noted the growing role of the cloud was contributing to the challenge.

“We aren’t talking about malicious insiders, just everyday users who make simple and avoidable errors,” he said. “The cloud can complicate things: in the cloud, inappropriate sharing of data and system misconfigurations may be rife, but would an organisation even know?”