beebright -

More data breaches from ransomware attacks in Australia

The number of data breaches caused by ransomware rose to 33 in the first half of 2020 from 13 in the previous six-month period, according to the latest report from the Office of the Australian Information Commissioner

Ransomware attacks were one of the top causes of data breaches in Australia during the first half of this year, according to the latest statistics report from the Office of the Australian Information Commissioner (OAIC).

According to the report, the number of data breaches caused by ransomware rose from 13 in the previous six-month period to 33 between January and June.

“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” said Australian information and privacy commissioner Angelene Falk. “This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible.”

“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, which is also of concern,” she said.

“This trend has significant implications for how organisations respond to suspected data breaches – particularly when systems may be inaccessible due to these attacks.

“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”

Notwithstanding the growing threats from ransomware, there was slight fall in the number of breaches reported (518) against the previous six-month period (532), but an increase of 16% compared to the same period last year.

Across the reporting period, approximately 77% of notifying organisations were able to identify a breach within 30 days of it occurring.

However, in 47 instances, the organisation took between 61 and 365 days to become aware and assess that a data breach had occurred, while 14 entities took more than a year.

“Organisations must be able to detect and respond rapidly to data breaches to contain, assess and notify about the potential for serious harm,” Falk said.

“A number of notifications also fell short of the standards required, in failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm.

“In these cases, we required the organisation to re-issue the notification. We will continue to closely monitor compliance with assessment and notification obligations as part of our system of oversight.”

The number of notifications per month also varied widely across the reporting period, ranging from 63 in January to 124 in May – the highest number of data breaches reported in a month since the notifiable data breaches scheme began in February 2018.

While the increase coincided with widespread changes in working arrangements due to the Covid-19 outbreak, Falk said the OAIC had not found evidence to suggest the increase in May was the result of changed business practices.

“The report shows that more human error data breaches were reported in May, accounting for 39% of notifications that month, compared to an average of 34% across the reporting period,” she said.

“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.

“Organisations must also continue to assess and address any privacy impacts of changed business practices, both during their response to the Covid-19 outbreak and through the recovery.”

Lindsay Brown, vice-president for Asia-Pacific and Japan at LogMeIn, said organisations should be equipping employees with appropriate training and tools to mitigate risks from human error.

“For example, the risks of credential theft, abuse and phishing can be minimised by organisations adopting password managers with single sign-on and passwordless multi-factor authentication to thwart password-related risks.

“However, there also needs to be a larger focus on educating employees on cyber security and privacy best practices, as simple things like failure to use BCC when sending an email contribute to employees being many organisations’ weakest link,” he said.

Read more about cyber security in Australia

Read more on Data breach incident management and recovery

Data Center
Data Management