31 July 2020

An increase in data breaches caused by ransomware attacks and impersonation is among the key findings in the latest statistics report from the Office of the Australian Information Commissioner (OAIC).

The OAIC’s Notifiable Data Breaches (NDB) Report for January to June 2020 shows a slight fall in the number of eligible breaches reported (518) against the previous six-month period (532), but an increase of 16% compared to the same period last year.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said malicious or criminal attacks including cyber incidents remain the leading cause of data breaches involving personal information in Australia.

“Malicious actors and criminals are responsible for three in five data breaches notified to the OAIC over the past six months,” Commissioner Falk said.

“This includes ransomware attacks, where a strain of malicious software is used to encrypt data and render it unusable or inaccessible.”

The report shows the number of data breaches caused by ransomware rose from 13 in the previous six-month period to 33 between January and June, Commissioner Falk said.

“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network, which is also of concern,” she said.

“This trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks.

“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”

Across the reporting period approximately 77% of notifying entities were able to identify a breach within 30 days of it occurring.

However, in 47 instances the entity took between 61 and 365 days to become aware and assess that a data breach had occurred, while 14 entities took more than a year.

“Organisations must be able to detect and respond rapidly to data breaches to contain, assess and notify about the potential for serious harm,” Commissioner Falk said.

“A number of notifications also fell short of the standards required, in failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm.

“In these cases, we required the organisation to re-issue the notification. We will continue to closely monitor compliance with assessment and notification obligations as part of our system of oversight.”

In other findings:

  • The insurance industry entered the top five sectors for the first time since the report began, notifying 35 breaches
  • Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors.
  • The number of notifications resulting from social engineering or impersonation has increased by 47% during the reporting period to 50 data breaches
  • Actions taken by a rogue employee or insider threat accounted for 25 notifications, and theft of paperwork or storage devices resulted in 24 notifications.

The number of notifications per month varied widely across the reporting period, ranging from 63 in January to 124 in May — the highest number of data breaches reported in a month since the NDB scheme began in February 2018.

While the increase coincided with widespread changes in working arrangements due to the COVID-19 outbreak, Commissioner Falk said the OAIC had not found evidence to suggest the increase in May was the result of changed business practices.

“The report shows that more human error data breaches were reported in May, accounting for 39% of notifications that month, compared to an average of 34% across the reporting period,” she said.

“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.

“Organisations must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.”

Read the Notifiable Data Breaches Report for January-June 2020.

Privacy advice and guidance for the COVID-19 outbreak can be found at oaic.gov.au/covid-19