Learning from others: Notifiable data breach - latest quarterly figures

Since the commencement of the Notifiable Data Breach (NBD) scheme under the Privacy Act 1988 (Cth) in February 2018, the Office of the Australian Information Commissioner (OAIC) has been publishing reports on quarterly statistics relating to notifiable data breaches. We outlined last quarter’s NBD statistics report in Data at Risk? Latest Quarterly Figures from the Office of the Information Commissioner.

Types of NDB

The latest quarterly figures depict that there is an increase of NDBs from 245 in July to September 2018 to 262 in October to December 2018.1

By type, NDBs caused by human error has decreased from 37% to 33%, malicious or criminal attacks rose from 57% to 64% and systems faults have decreased from 6% to 3%.2 

Of the malicious or criminal attacks, 68% of these related to cyber incidents.3 Phishing, once again, was the highest type of cyber incident breach this quarter, comprising 43% of all cyber incidents notified.4 

Although NDBs caused by human error decreased compared to last quarter, within this category, the average number of individuals affected per breach, for unintended release or publication of personal information, rose significantly from an average of 633 persons affected per notification to 17,746 persons affected per notification.5 

Conversely, whilst the number of notifications for failure to use blind carbon copy increased this quarter from 6 to 9, the average number of affected individuals per notification decreased from 494 to 234.6 

As with the last quarter, unintended release or publication was the highest of the types of system faults.7 

By industry sector

The top four sectors that reported NBDs remained the same this quarter, being, in order:

  1. Health service providers;
  2. Finance;
  3. Legal, accounting and management services; and
  4. Education.8 

Mining and manufacturing took fifth place over personal services from last quarter.9 Notably, within the finance sector, malicious and criminal attacks increased from 46% to 70% of all notifications in this sector.10 Although not the largest contributor in health services (which is still human error at 54% of all NDBs within the sector), malicious and criminal attacks have increased from 42% to 46% this quarter.11 

Conclusion

It is important for organisations to learn from the notifications of the NDBs that took place this quarter and recognise potential risk areas that may need to be addressed. An organisation should turn its mind to the potential loss of market share, profitability and other losses that may result from any notifiable or other data breach.

Organisations should also consider, amongst other things, further training for users and staff, implementing cyber specific system software to protect their systems and data, and consider obtaining cyber insurance as a last means of resort to reduce and manage potential risk.

 

1 Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report 1 July – 30 September 2018 (Report, 30 October 2018) 4 (‘July – September Quarterly Report’); Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report 1 October – 31 December 2018 (Report, 7 February 2019) 4 (‘October – December Quarterly Report’).
2 July – September Quarterly Report (n 1) 3; October – December Quarterly Report (n 1) 3.
3 October – December Quarterly Report (n 1) 10.
4 Ibid 11.
5 July – September Quarterly Report (n 1) 9; October – December Quarterly Report (n 1) 9.
6 July – September Quarterly Report (n 1) 9; October – December Quarterly Report (n 1) 9.
7 July – September Quarterly Report (n 1) 12; October – December Quarterly Report (n 1) 12.
8 July – September Quarterly Report (n 1)13; October – December Quarterly Report (n 1) 13.
9 July – September Quarterly Report (n 1) 13; October – December Quarterly Report (n 1) 13.
10 July – September Quarterly Report (n 1) 23; October – December Quarterly Report (n 1) 23.
11 July – September Quarterly Report (n 1) 27; October – December Quarterly Report (n 1) 27.