Data Breaches Continue To Bite Notifiable Data Breaches Dec 2018 Quarter

In November, Allen Legal reported on the release of the Privacy Commissioner’s report on data breach notifications for the September Quarter. The recently released December Quarter report for 2018 gives us a view on developments as the Mandatory Data Breach Notification regime completes its first year of operation. The statistics reveal that, despite a growing number of notifications being reported, breaches caused by avoidable human error and ‘low-tech’ attacks are on the gradual decline.

In total, 262 notifications were made for the December Quarter. This is an increase from 245 in the previous quarter.

Malicious attacks were the leading cause of notifiable data breaches, constituting 64% of total incidents. This signifies an increase from the previous quarter, where 57% of reported breaches were attributable to such attacks.

The majority of these attacks involve usernames and passwords being compromised. This is done either through either phishing, accounting for 50% of all cyber incidents, or brute-force attacks which make up 12% of these incidents.

Worryingly, a further 19% also involved stolen credentials but the method was unknown. This is cause for concern for two reasons. First, it shows inadequate incident response and second, it will be problematic for remediation, not to mention any subsequent legal or regulatory action. If you don’t know how the breach occurred, it might hard to convince your customers, the regulator or an insurer that it won’t happen again.

Phishing has decreased as a proportion of total cyber incident breaches, which may point to improved training of staff to recognise warning signs of suspicious emails. Despite this, it still makes up fully 50% of incidents, again underscoring the need for continued awareness training so that privacy and data security is front of mind.

There has also been a notable increase in ransomware attacks from 3% to 10% of cyber incidents. Such results point to an ongoing need companies to implement prevention strategies to minimise harm that can result from a data breach. Most importantly, businesses need to make sure they have reliable procedures in place to back up, and quickly restore their systems if they are hit with ransomware.

Human error fell as a percentage of total notifications from 37% to 33%, suggesting some headway may have been made in instituting proper procedures around the handling of personal information. Human error includes things like sending confidential information to the wrong recipient, insecure disposal of information and unintentional publication of sensitive material. Breaches caused by sending personal information to the wrong recipient are still the largest contributor to human error incidents, suggesting that further improvement can be made through employee cyber awareness training.

Examining progress across industries, health service providers remain the highest reporting sector for data breaches received. Legal, accounting and management services have seen the most improvement since September, falling from 34 to 23 notification data breaches received.

The December Quarter report sheds light on progress that has begun to be made in strengthening cyber security in companies which handle confidential information. However, the goal of minimising risk remains pertinent as ever; companies should always have a data breach response plan prepared so they can respond quickly to incidents, alongside continuing to adopt proper technical and administrative measures in day-to-day business.