Cyber-attacks top reason for data breaches: report

Malicious or criminal cyber-attacks were responsible for 59 per cent of the 242 data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June.

The OAIC’s second quarter report, released on Tuesday, said there were 142 notifications of data breaches resulting from malicious cyber-attacks, followed by human error (88 notifications) during the period.

The commissioner said that the majority of malicious or criminal breaches were the result of compromised credentials while the most common human error was sending emails containing personal information to the wrong recipient.

The OAIC has received 305 notifications in total since the government’s notifiable data breaches scheme commenced on February 22 this year.

OAIC’s acting Australian information and commissioner and privacy commissioner, Angelene Falk, said notifications this quarter shows that one of the key aims of the scheme – ensuring individuals are made aware when the security of their personal data is compromised – is being met.

Falk said data breach notification to individuals by the entities experiencing the data breach can equip individuals with the information they need to take steps to reduce their risk of experiencing harm, which can reduce the overall impact of the breach.

“Notification to the OAIC also increases transparency and accountability,” said Falk. “The OAIC continues to work with entities to ensure compliance with the scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases on non-compliance.”

Meanwhile, most data breaches involved the personal information of 100 or fewer individuals (148 notifications or 61 per cent of breaches) while 38 per cent or 93 reported breaches impacted 10 or fewer people.

Some breach reports also involved multiple entities. Under the data breach notification scheme, all entities involved have an obligation to notify the OAIC and affected individuals where an eligible data breach occurs.

But other arrangements can be put in place for one entity to discharge this obligation on behalf of others. Best practice for entities to proactively establish clear procedures about how data breaches are to be handled and reported when third party providers are used, the OAIC said.

The private health sector was the top sector for reporting data breaches under the Australian notifiable data breaches scheme with 49 notifications in the quarter. These notifications do not relate to the My Health Records system. The finance sector came in second with 36 notifications reported.

Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia

Follow Byron Connolly on Twitter: @ByronConnolly