Data breaches in Australia show no sign of abating

In the three months to the end of December 2018, Australian authorities were alerted to 262 data breaches which potentially exposed Australians’ personal information – the vast majority classed as resulting from malicious or criminal actions.

The nation’s notifiable data breach scheme turns one year old on February 22, and in its first four quarterly reports (the first covering only a partial period) the Office of the Australian Privacy Commissioner dealt with 812 notifications of breaches deemed serious enough to potentially cause serious harm to an individual.

In one case reported last quarter, more than a million Australians would have been potentially impacted. And, while in most cases the personal data compromised was contact information, people’s tax file numbers were put at risk in 46 separate breaches during the quarter.

The leading sectors affected were private health service providers, finance, legal, accounting and management services, private education providers, as well as mining and manufacturing.

Announcing the report, Australian Information Commissioner and Privacy Commissioner Angelene Falk said preventing data breaches and improving cyber security had to remain a priority for all organisations handling personal information.

While 64% of breaches were traced to malicious or criminal attacks, 33% were blamed on human error and 3% on system faults.

Given the use of techniques such as phishing to gain access to systems, Falk called for employees to be aware of the common tricks used by cyber criminals to steal usernames and passwords, while consumers were advised to be alert to scams and regularly change their passwords.

Small and mid-sized firms are particularly at risk, according to Phil Kernick, co-founder and chief technology officer of CQR Consulting, who said medium-sized businesses were guilty of often slack cyber security. He predicted there would be an enforceable action against at least one Australian company in the coming year.

Aura Information Security country manager Michael Warnock meanwhile warned that many mid-sized businesses will remain a happy hunting ground for cyber criminals as management teams remain reluctant to invest in high tech protection. 

At the same time, they just do not expect an attack will happen to them, so they refrain from elevating the issue on their training agendas. 

“The harsh reality is, cyber attacks will continue to grow in both frequency and complexity over the coming year,” he said. “Both business and IT teams should accept the threat is present, implement ongoing training to teach employees to recognise potential threats, adopt responsible data protection behaviour and allocate sufficient funds to cover protection measures that commensurate with their organisation’s risk profile.”

According to Paul Trulove, chief product officer of identity governance company SailPoint, Australian organisations are struggling to see and understand the risks associated with compromised user credentials, as demonstrated by 43% of cyber incidents involving phishing, 8% resulting from brute-force attacks and 24% from compromised or stolen credentials.

“The report reiterates that an organisation’s users have become the easiest route into an organisation for hackers,” he said.