Last updated: 18 June 2019
The Office of the Australian Information Commissioner (OAIC) found that a single data breach affected more than 10 million Australians.
In its latest Notifiable Data Breaches Quarterly Statistics Report, the OAIC reveals that it received 215 notifications of data breaches under the Notifiable Data Breach Scheme between 1 January and 31 March 2019. Nearly all of those security incidents (189) affected between one and 1,000 Australians. But there were a few events that claimed even more victims. Twelve of these data breaches affected 5,000 individuals, for instance, while two incidents compromised 25,000 people’s data. One data breach even affected more than 10 million Australians.
A closer look at report reveals that the majority of these data breaches (186 incidents, or approximately 88 percent) compromised Australians’ contact information. Slightly half of those security events (98) exposed victims’ financial details. Meanwhile, 55 data breaches compromised individuals’ identity information.
Malicious actors and criminals were responsible for most of the breaches disclosed to the OAIC within this reporting period. Indeed, malicious or criminal attacks accounted for 61 percent of data breach notifications in Q1 2019. Human error came at 75 data breaches, or 35 percent of the total, while system faults were responsible for just nine breaches or four percent of the total.
Those human error incidents warrant additional analysis, as a vast array of faults were behind those events. Personal information sent to the wrong recipient via email came in on top at 23 of the 75 human error data breaches. Close behind it was unauthorised disclosure (unintended release or publication) at 21 cases, which was followed by 12 instances of loss of paperwork/data storage device and nine occurrences where someone sent personal information to the wrong recipient via mail. Unauthorised disclosure (verbal or failure to redact), other occasions where someone sent personal data to the wrong recipient and a failure to use BCC when sending email were all responsible for three or fewer security instances each.
The first quarter of 2019 represents the first time that the number of data breaches reported to the OAIC decreased. Between Q2 2018 and Q3 2018, for instance, the total number of security incidents increased slightly from 242 to 245. The rate of growth was even more significant between Q3 2018 and Q4 2018 from 245 to 262.
But that doesn’t mean that organisations are any less safe now than they were in 2018. In acknowledgment of the NDB’s scheme, Australian Information Commissioner and Privacy Commissioner Angelene Falk explained that organisations need to take steps to protect themselves against digital threats. She said that one of the best ways they can do this is by investing in their users:
By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them. Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.
To be sure, should balance these investments in their people with appropriate investments in technology. Specifically, they should encrypt all sensitive data at rest and in transit, securely store and manage all encryption keys and control user access and authentication. By implementing each of these measures, companies can protect themselves against data breaches.