sdecoret - stock.adobe.com
Six weeks after Australia’s mandatory data breach notification regime came into full force, 63 breaches have already been reported, compared with 114 data breaches voluntarily disclosed in 2017.
The discrepancy reveals the extent of under reporting under the voluntary arrangements.
The Office of the Australian Information Commissioner (OAIC) revealed these numbers in its first-quarter report, which also singled out sectors that reported the most data breaches.
These include healthcare (24% of notifications), legal, accounting and management services (16%), finance (13%), private education (10%), and charities (6%).
Garrett O’Hara, principal technical consultant at Mimecast, said it was not surprising that health service providers accounted for almost a quarter of reported breaches, with health information involved in a third of breaches.
“One of the issues with the health sector is the reliance on legacy systems. During the WannaCry ransomware attack last year, the prevalence of older unpatched Window systems left organisations vulnerable to attacks,” he said.
O’Hara warned that with breaches becoming the norm, all organisations, regardless of size or sector, should have a cyber resilience strategy that includes patch management, application whitelisting, cloud e-mail protection, and importantly, cyber security awareness training.
“Without a cyber resilience strategy, organisations risk exposing sensitive data and substantial fines – and no organisation wants that,” he said.
Human error to blame
According to the report, about half (51%) of all breaches arose because of human error.
The OAIC’s acting information commissioner and acting privacy commissioner, Angelene Falk, said human error was also the most commonly identified problem among last year’s voluntary disclosures.
Jason Edelstein, chief technology officer at Sense of Security, an Australia-based information security and risk management consultancy, said it was worrying that so many breaches occurred because someone might have sent a document containing personal information to the wrong person.
“The problem is that we’re sending contact information and financial details to these people. If they are malicious, an attacker could use this information to conduct social engineering activity, which can have dire consequences.
“These errors should not be happening and we need to have better processes and policies in place to prevent this leakage of personal information. This requires us to educate employees on the cyber security risks and their responsibilities in handling data.”
Read more about cyber security in Australia
- Australia’s Cyber Security Strategy, aimed at protecting citizens, companies and critical infrastructure, has made significant headway over the past year, but the jury is still out on its long-term impact.
- The Australian Broadcasting Corporation is the latest organisation to fall prey to misconfigured Amazon S3 storage buckets, exposing database backups and sensitive data such as login credentials.
- Amid growing cyber threats, Australia’s cyber security centre calls for businesses to be more open about cyber incidents and plug potential loopholes in their supply chains.
- Unsanctioned cloud apps continue to be major bugbear among security chiefs in Australia, a Symantec survey has found.
While most breaches were accidental, a good proportion (44%) was described as malicious.
A recently released report based on a global survey of hackers in 13 countries, including some based in Australia, revealed just how quickly malicious actors can spirit data away.
In its second Black report, security software provider Nuix revealed that 40% of hackers could exfiltrate data in less than an hour, and an additional 33% could do so within five hours.
Report author and Nuix executive Chris Pogue, who this week presented at Sydney’s ACSC (Australian Cyber Security Centre) conference said: “Most organisations invest heavily in Perimeter defences such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass.
“If hackers can steal your data within a day, but you only find out it happened months later, you’re well on the way to becoming the next big news story,” he added.
Additional reporting by Aaron Tan.