NDB report: Health care tops security concerns again
The number of data breaches reported under Australia's Notifiable Data Breach (NDB) scheme fell to 215 for the March quarter, down from 262 the quarter before.
But notifications increased during every month of the quarter, from 62 in January to 67 in February and 86 in March, the Office of the Australian Information Commissioner’s latest quarterly NDB report found.
SailPoint Vice President APJ Terry Burgess said the monthly increase represents cause for concern.
“If the numbers don’t serve as a wake-up call to business leaders on the importance of security and access, I don’t know what will. Business leaders need to fully understand the cost of breaches — from financial to reputational — and focus on putting strategies in place that protect themselves and their customers,” he said.
Of the breach notifications filed during the quarter, one impacted more than 10 million people, with a total of 25 breaches impacting more than 1000 individuals. The majority (68%) involved the personal information of 100 or fewer individuals, with 65 breaches affecting a single person.
The most commonly exposed information included contact information (involved in 87% of breaches), financial details (46%), identity information (26%), health information (29%) and tax file numbers (17%).
The statistics also show that malicious or criminal attacks accounted for 61% of data breaches during the quarter, with human error responsible for 35% and system faults for the remaining 4%.
Of the 131 data breaches associated with malicious attacks, 66% involved cyber attacks such as phishing (20%), hacking (13%), malware (13%), ransomware (7%), brute force attacks (7%) and the use of compromised or stolen credentials (40%).
Common causes of data breaches associated with human error include sending personal information to the wrong recipient over email, unintended release or publication of information and the loss of paperwork or data storage devices.
The report also shows that the healthcare sector again topped the list of the top five sectors by notifications during the quarter. The OAIC received 58 notifications from the sector during the quarter, more than double the number received from the second ranked sector, the finance industry (27).
“It is very concerning to see health service providers continuing to be targeted and successfully breached by attackers,” Sophos ANZ Managing Director John Donovan commented.
“It goes without saying that this industry is dealing with incredibly sensitive and personal data and, as such, has a huge responsibility to the people of Australia to protect their data effectively. The report serves as a reminder to the healthcare industry to implement robust security practices to protect the extremely sensitive data they are entrusted with.”
Meanwhile, the OAIC has separately released the Notifiable Data Breach 12-month Insights Report. This report found that 964 data breach notifications have been submitted over the first four full quarters of the scheme’s operation, with 60% of these traced to malicious or criminal attacks.
More than a third of breaches were directly due to human error, with one in 10 breaches involving emailing personal information to the wrong recipient.
The OAIC has also received 168 voluntary notifications related to incidents that do not meet the threshold for mandatory reporting, or that affected companies not regulated under Australia’s Privacy Act.
“By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said during the release of the annual report.
“Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe. After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.”
OVIC has found Public Transport Victoria to be in breach of the state's Privacy Act by...
The Association of IT Asset Management has urged the US government to act on a report finding...
The phishing filters used by various email service providers failed to detect a significant...