Data breaches fall 16% in first half of 2021
Australian organisations reported 446 data breaches to the Office of the Australian Information Commissioner (OAIC) during the first half of the year, down 16% from six months prior.
The OAIC’s half-year Notifiable Data Breaches report found that breaches attributable to criminal attacks fell 5% over the same period to 289, while breaches resulting from human error shrank 34% to 134. Breaches attributable to system faults fell 4% to 23.
But data breaches arising from ransomware incidents increase by 24% to 46, a trend Australian Information Commissioner and Privacy Commissioner Angelene Falk said is cause for concern.
“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat, she said. “The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.”
The OAIC was also notified of a number of data breaches resulting from impersonation fraud during the reporting period.
“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.
“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm. Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”
The report also found that contact information was the most common type of personal information involved in data breaches — involved in 91% of all reported breaches.
The health sector remained the highest reporting industry sector (19% of all notifications), followed by finance (13%).
Meanwhile, 65% of data breaches affected 100 or fewer people, with 93% affecting 5000 individuals or fewer.
Finally, the report found that 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.
CrowdStrike CTO for APAC and Japan Fabio Fratucello said this demonstrates that many organisations still lack the capacity to promptly respond to and report cyber threats.
“CrowdStrike urges organisations to continue to uplift their cyber capabilities and pursue the ‘1-10-60 rule’ to combat cyber threats and effectively mitigate breaches. Detect incidents in under 1 minute, investigate and understand threats in under 10 minutes, and contain and eliminate the adversary from the environment in under 60 minutes,” he said.
Barracuda APJ Sales Engineer Manager Mark Lukie added that the smaller number of victims per attack could suggest that “attacks are more targeted rather than a spray-and-pray approach emphasising the increase in socially engineered attacks to evade traditional email security technology”.
According to Attivo Networks ANZ Regional Director Jim Cook, just over a quarter of the cyber-related incidents involved compromised credentials. “[This] validates the need to detect and respond to credential-based attacks much earlier in the attack cycle. If the use of compromised credentials can be detected early it is far easier to stop the breach occurring,” he said.
Organisations of every size across every industry have had to evolve their security practices to...
In today's business landscape, perimeter-based security is no longer sufficient.
Businesses across Australia and New Zealand continue to be targeted by cybercriminals as...