Australia suffering 81 notifiable data breaches per month: OAIC

More than a third of reported Australian data breaches are due to human error, the Office of the Australian Information Commissioner (OAIC) has revealed as it released its first full-quarter statistical report about the functioning of the new Notifiable Data Breaches (NDB) scheme.

There were 242 notifications of eligible data breaches during the last quarter of fiscal 2018, according to the new report.

That represents an average of just under 81 breaches per month – a significant increase on the 55 incidents recorded in March, the first full month of NDB reporting.

Of the incidents reported during the fourth quarter, 59 percent were attributed to malicious or criminal attacks; 36 percent, to human error; and 5 percent, to system faults.

The number of incidents increased month on month – growing from 55 in March to 65 in April, 87 in May, and 90 in June.

At least 1.189 million records were compromised during the quarter, with one single incident reported as involving the data of 1 million to 10 million individuals alone. Some 23 incidents each involved 1000 to 5000 individuals, although 61 percent of all breaches involved 100 individuals or fewer.

“Notifications this quarter show that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met,” acting Australian Information Commissioner and acting Privacy Commissioner Angelene Falk said in a statement.

“Data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of a breach.”

Financial details were compromised in 102 breaches (42 percent of all incidents), identity information in 94 incidents (39 percent), and health information in 61 cases (25 percent).

The health sector reported 49 breaches during the quarter – none of which related to the government’s contentious My Health Record (MHR) system – while finance operators were hit 36 times.

The high levels of health information loss highlight ongoing issues in that sector – which also topped the OAIC’s first NDB report and is regularly highlighted for its poor management of security practices such as patching.

This has led to growing concern about the security of the MHR scheme, particularly in the wake of findings such as a recent report in which half of healthcare CISOs admitted having suffered a data breach in the last 24 months.

The results “come as no surprise,” said CQR co-founder and chief technology officer Phil Kernick in a statement.

“For some reason, IT security messages are not yet ingrained in the mindset of each and every employee within an organisation and it remains to be seen if Australian businesses have actually worked out how much risk they are willing to stomach. Indeed, the jury is out on just how aware the average medium-sized business is of the current risk landscape.

The high rate of human error reiterates common concerns about the role of human mistakes in disseminating confidential information.

In 22 cases, the OAIC said, an email containing personal information was sent to the wrong recipient; personal information was unintentionally released or published in 12 incidents; and personal information was posted to the wrong recipient in 10 cases.

Nine incidents, involving the loss of paperwork or a data storage device, affected 1199 individuals on average.

The findings confirmed the experiences of consultancy Dekko Secure, according to managing director Jacqui Nelson. “Our recent experience conducting security audits inside the legal, healthcare, engineering and public sector organisations, shows that human error continues to be at the heart of at least half of all security breaches,” she said in a statement.

“Too often, a desire to just get the job done in the fastest and most efficient way means that we mere humans fall prey to simple errorshellip;. This latest quarterly mandatory data breach report suggests that security still isn’t getting the attention it commands inside organisations.”

“Companies need to do a complete audit and review of the simplest communication channels inside their organisations and ensure they are doing everything they can to secure these channels.”

Some of the notifications may have been lodged by different entities but relate to the same event, the OAIC noted.

Ultimately, the figures serve as a warning to other companies that data breaches are a real and growing threat. “Notification to the OAIC also increases transparency and accountability,” said Falk. “The report provides important information on the causes of data breaches so all entities can learn lessons and put in place prevention strategies.”