Sergey Nivens - stock.adobe.com
Data breaches in Australia showing no signs of abating
Compromised login credentials and human error were the most common causes of data breaches reported under Australia’s notifiable data breach regime from July to December 2019
The number of data breaches continues to grow in Australia, underscoring the need for local companies to shore up their cyber hygiene amid mounting cyber attacks.
According to the Office of the Australian Information Commissioner (OAIC), 537 data breaches were reported between July and December 2019, a 19% increase over the first half of the year.
Almost one in three breaches were linked to compromised login credentials, possibly through phishing attacks, which accounted for at least 15% of data breaches during the reporting period, the OAIC noted in its latest Notifiable data breaches (NDB) report.
In total, malicious or criminal attacks (including cyber incidents) accounted for 64% of all data breaches.
Human error was also a key risk, causing 32% of all data breaches. This could be unintended disclosure of personal information to wrong recipients via email, which accounted for 9% of all breaches.
Australian information commissioner and privacy commissioner Angelene Falk said: “The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches.
“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts.
“Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files.
“This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box,” Falk said.
Personal information stored in email accounts can include financial information, tax file numbers, identity documents and health information, which can be exploited by malicious actors who gain access to inboxes, she warned.
The healthcare sector remained the most vulnerable to data breaches, notifying 22% of all breaches over the six-month period. This was followed by the finance sector which accounted for 14% of all breaches.
Most data breaches affected less than 100 individuals, in line with previous reporting periods.
Falk noted that the NDB scheme is now well-established as an effective reporting mechanism. “There is now increasing focus on organisations taking preventative action to combat data breaches at their source and deliver best practice response strategies,” she said.
“Where data breaches occur, organisations and agencies must move swiftly to contain the breach and minimise the risk of harm to people whose information has been compromised.”
Lindsay Brown, LogMeIn’s vice-president of Asia-Pacific and Japan, said the first biannual update of the NDB scheme is evidence that passwords and credentials continue to be mismanaged in the workplace.
“Evidently, the threat to the digital landscape continues to worsen and organisations must be keenly aware of the importance of their employees using strong credentials. The figures are hard-hitting facts that business leaders need to take into account when educating employees on the importance of appropriate security hygiene and establish requirements such as minimum length and complexity for items like passwords.
“Clearly the standard approach of employee security training with no tools to support behaviour change is failing businesses across all sectors,” he said, calling for organisations to explore password management, single sign-on and multi-factor authentication to keep their login credentials secure.
Read more about cyber security in Australia
- The Australian government is reviewing the nation’s cyber security strategy, but is it looking at the right issues?
- Australian enterprises are navigating “a train-smash” of legislation and regulations on cyber security.
- Australia’s data breach notification rules have largely been complied with, but some quarters are calling for more clarity on the reporting threshold and tougher action against errant firms.
- A report suggesting Australian firms are experiencing fewer cyber incidents has left its co-author perplexed with the findings.