On 31 July, the Office of the Australian Information Commissioner (OAIC) released its second Notifiable Data Breaches Quarterly Statistics Report.
This report covers the first full quarter since the Notifiable Data Breaches scheme (NDB scheme) began on 22 February 2018, and the OAIC has clearly put some work into building out the report with detailed stats and breakdowns. Let’s take a look.
Going up, up, up!
This quarter there were 242 notifications overall, noting that multiple notifications relating to the same incident (including the infamous PageUp breach) were counted as a single breach.
The OAIC’s month by month breakdown shows a steady increase in notifications by month, going from 55 notifications in March to 90 notifications in June. Overall, accounting for the partial quarter in the first report, we’ve seen a doubling in the rate of notifications.
However, there are a lot of factors that may be affecting the notification rate. Since February, many companies and agencies have implemented new processes to make sure they comply with the NDB scheme, and this may be driving more notifications. On the other hand, in our experience a lot of companies and agencies are still unsure about their notification obligations and when to notify, so they might be over reporting – notifying breaches that may not meet the ‘likely risk of serious harm’ threshold just to be sure that they are limiting their compliance risk.
At this early stage of the scheme, we think it’s premature to draw any conclusions on rising notification rates. The rate may change significantly as companies and agencies come to grips with their obligations and what does and doesn’t need to be reported.
Teach your children staff well
59% of breaches this quarter were identified as being caused by malicious or criminal attacks. The vast majority (68%) of attacks were cyber incidents and, of those, over three quarters related to lost or stolen credentials. This includes attacks based on phishing, malware, and social engineering. Brute force attacks also featured significantly.
We think that the obvious conclusion here is that there’s an opportunity to significantly reduce the attack surface by training your staff to better protect their credentials. For example, teach them how to recognise phishing attempts, run drills, and enforce regular password changes.
There are also some system issues that could be addressed, such as multi-factor authentication, enforcing complex password requirements, and implementing rate limiting on credential submissions to prevent brute force attacks.
To err is human
Human error accounted for 36% of breaches this quarter. It was the leading cause in the first quarterly report, but again, there are a number of factors that could have caused this shift.
Notably, over half of the breaches caused by human error were scenarios in which personal information was sent to the wrong person – by email, mail, post, messenger pigeon or what have you, but especially email (29 notifications). Again, this suggests a prime opportunity to reduce your risk by training your staff. For example, it appears that at least 7 people this quarter didn’t know (or forgot) how to use the BCC/Blind Carbon Copy function in their email.
People make mistakes. And we know this, so it’s a known risk. We should be designing processes and systems to limit that risk, such as systems to prevent mistakes in addressing.
Doctors and bankers and super, oh my!
Much ink has been spilt over information governance in the health and finance sectors recently, and those sectors accounted for more notifications than any other this quarter (49 and 36 notifications respectively). These are pretty massive industry sectors – healthcare alone accounts for 13.5% of jobs in Australia – so scale is likely affecting the high number of notifications. Anyway, the OAIC has helpfully provided industry level breakdowns for each of them.
In the finance sector (including superannuation providers), human error accounted for 50% of all breaches, and malicious attacks for 47%. Interestingly, in the finance sector almost all the malicious attacks were based on lost or stolen credentials, so we’re back to staff training as a key step to reduce risk.
Bucking the trend, human error accounted for almost two thirds of breaches in the health sector – clearly there’s some work to be done in that sector in terms of processes and staff training. Of the breaches caused by the malicious attacks, 45% were theft of physical documents or devices. This isn’t particularly surprising, as it can be challenging for small medical practices that make up a large part of the sector to provide high levels of physical security. It’s important to note that these notifications only came from private health care providers – public providers are covered under state-based privacy legislation. Also, these statistics don’t cover notifications relating to the My Health Records system – the OAIC reports on those numbers separately in its annual report. So these stats don’t offer a full picture of the Australian health industry as a whole.
All in all, this quarter’s NDB scheme report contains some interesting insights, but as agencies and organisations become more familiar with the scheme (and continue to build their privacy maturity), we may see things shift a bit. Only time will tell.