Key takeaways from the latest Notifiable Data Breach Scheme stats
The Office of the Australian Information Commissioner (OAIC) recently released its Notifiable Data Breaches Report for the period from January to June 2021.
The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information.
Just 446 data breaches were notified to the Office of the Australian Information Commissioner (OAIC) under notifiable data breach (NDB) laws between January and June, a 16% decrease compared to the previous reporting period.
With a reduced number of malicious data attacks and data breaches compared to the previous 6-month reporting period, the numbers are looking positive.
Health sector remains highest reporting sector
Since the enactment of the NDB Scheme in 2018, the industry sector to consistently report the highest number of data breaches is health, notifying 19% of all breaches. The finance sector closely follows, notifying 13% of all breaches.
Malicious or criminal attacks largest source of data breaches
Malicious or criminal attacks were the leading source of data breaches notified to the OAIC during the latest reporting period, accounting for 289 breaches (being 65% of all breaches, up from 57% in the previous reporting period). Other major sources of breaches were human error (30%) and system faults (5%).
66% of all breaches in the malicious or criminal attack category involved cyber incidents. Other attacks in that category involved social engineering or impersonation, actions of rogue employees / insider threats, and theft of paperwork or storage devices. Those figures serve as a reminder that cyber defences need to focus on both internal and external threats.
Contact information remains most common type of personal information involved in data breaches
Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches. Most data breaches (91%) notified under the NDB scheme involved ‘contact information’, such as an individual’s name, home address, phone number or email address. This is distinct from ‘identity information’, which was exposed in 55% of data breaches and includes an individual’s date of birth, passport details and driver licence details. Financial details, such as bank account and credit card numbers, were involved in 43% of breaches.
The OAIC was notified of 35 incidents where social engineering or impersonation was used by “malicious actors” who contacted a call centre, passed the organisation’s phone-verification processes – and was then able to log into the victim’s accounts to change their personal or payment details, or conduct fraudulent transactions.
“Australians need to assume that their private information is ‘out there’, available for sale and that they should act accordingly when being contacted by an individual or organisation that they don’t recognise,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
What policies and procedures should organisations have in place?
While notifications may be down, it’s essential that organisations do not let their guard down.
The OAIC highlighted some of the policies and procedures it expects businesses to have in place to meet their obligations under the Privacy Act. This includes:
- regularly reviewing security measures, controls and identity verification processes intended to minimise the risk of impersonation fraud;
- having appropriate internal practices, procedures, and systems to undertake a proper assessment of whether a cyber incident has resulted in an eligible data breach; and
- having appropriate audit and access logs, a routinely tested backup system and an appropriate incident response plan.