Human element a key factor in data breaches

27 August 2019
Tags: media release

National figures on data breaches show about one in three data breaches last quarter were caused by compromised credentials, with log in and password information used to gain unauthorised access to personal information.

The human element continues to be a key factor in breaches, according to the latest Notifiable Data Breaches (NDB) scheme statistics report from the Office of the Australian Information Commissioner (OAIC), covering the period between 1 April and 30 June 2019.

This includes individuals clicking on a phishing email or reusing passwords across services, which allow for further data breaches.

“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.

The NDB data shows that the threat of data breaches – whether by malicious or criminal attack or human error – remains real.

Malicious or criminal attacks were the largest source of data breaches in the quarter, accounting for 62 per cent of all data breaches. Of these 151 data breaches, nearly 70 per cent involved cyber incidents.

The vast majority of cyber incidents were linked to compromised credentials, either through phishing (46 notifications), by unknown methods (32 notifications) or by brute-force attack (5 notifications).

The private health and finance sectors continue to record the most data breaches out of the sectors surveyed.

The health sector was responsible for 19 per cent of data breaches and the finance sector for 17 per cent. They were followed by the legal, accounting and management services sector (10 per cent), the private education sector (9 per cent), and the retail sector (6 per cent). Overall, the total of 245 data breaches reported is consistent with previous quarters.

Ms Falk said that the NDB scheme had established itself as an effective mechanism for organisations to notify affected individuals and the Australian Information Commissioner about ‘eligible data breaches’.

“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combating data breaches and improving response strategies,” she said.

“Effecting change in practices to prevent breaches is vital to the goal of protecting the community. Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”

The majority of data breaches in the period involved the personal information of 100 individuals or fewer (62 per cent of data breaches).

Ms Falk said the OAIC remained ready to exercise its enforcement powers to support the NDB scheme’s purpose of protecting consumers.

The OAIC’s statistical reporting on the NDB scheme will shift to six-monthly intervals following the latest report.

Further resources for preventing and responding to data breaches can be found on the OAIC website.