Of the 464 notifications, 55% or 256 were due to malicious or criminal attacks, yet this is a decrease of 9% from the previous quarter.
Human error breaches have increased to 190 notifications or 41% of the total - and of those, 43% were from personally identifying information - or PII - being emailed to the wrong recipient. That’s 43% of 41% of the total, meaning over 17% of all data breaches from all sources were due to careless emails. The next highest human error cause was unauthorised disclosure.
Health service providers are the top industry reporting data breaches, followed by finance. 71% of breaches affected 100 people or fewer. However, one data breach notification affected more than one million, but fewer than 10 million people. Two notifications affected 50,001 to 100,000 people.
80% of breaches were identified in under 30 days, while 4% were not identified until a year or more had passed. 1% of data breaches could not be pinpointed as to when the breach actually occurred.
Angelene Falk, the Australian information commissioner and privacy commissioner, calls for organisations to put accountability at the centre of their information handling practices. “Doing so would give individuals greater confidence that their personal information will be handled fairly and securely when they engage with an organisation,” she said.
Falk noted some organisations are falling short of the scheme's assessment and notification requirements. As the risk of serious harm to individuals often increases with time, the OAIC expects organisations to treat 30 days as a maximum time limit for an assessment of a data breach and to aim to complete the assessment in a much shorter timeframe. Of the 464 breaches in the second half of 2021, 75% were reported to the OAIC within 30 days, while 13% took up to 60 days, and the remainder took longer.
The OAIC report received widespread interest from security and privacy experts.
"The fact that the financial services industry is so often the victim of a cyber breach does not indicate a lack of cybersecurity commitment or good practice on their part,” said Steven Armitage, country director, SANS Institute. “The sector’s position as one of the most breached shows how heavily targeted the industry is by cyber adversaries. It also illustrates how cooperatively the FSIs work with regulators under their mandatory breach notification requirements. They take their cyber obligations seriously. The sector has made significant investments and genuine leaps forward in improving its cyber security posture in recent years, investing in its people and technology. Nevertheless, with 42 per cent of data breaches resulting from malicious or criminal attacks and 48 per cent of data breaches resulting from human error, the need for FSIs to remain vigilant and to continue that improvement is clear.”
“Of the 464 notifications, 55% are attributed to malicious or criminal attacks. This figure suggests the sophistication and scale of cyber-attacks are continuing to get the best of Australian organisations. Threat actors are chasing larger paydays and finding new vulnerabilities in a wide variety of targets, while many organisations are struggling to bring their cybersecurity up to standard for hybrid work,” said John Donovan, managing director ANZ, Sophos. “First and foremost, Australian businesses must change their mindsets around cybersecurity and adopt a model wherein they assume they will be breached. Subsequently, it’s crucial that leaders invest in the right technology to build their cybersecurity foundation and focus on resilience and recovery as well as protection. Considering 41 per cent of the data breaches were a result of human error, up 11 per cent from the previous report, organisations need to make staff cybersecurity education a priority; this is essential to creating a cyber-aware culture and addressing this statistic.”
“Despite progressive steps taken by companies to modernise their technological infrastructure in an effort to boost data protection and cybersecurity efforts, the latest OAIC report suggests that organisations do not have strong accountability measures in place to manage data breaches in line with compliance requirements. Without the protection that office systems provide, educating and training employees on what security measures need to be put in place, prior to and during an attack, is paramount to reducing the amount and degree of future security breaches,” said Matthew McWhirter, senior director, Asia Pacific and Japan, LastPass. “With 41% of data breaches caused by human error, organisations need to foster a security-first culture. This involves ensuring employees have secure online habits and practices to complement implemented technology to effectively combat cybercrime. For example, risks of phishing and brute-force attacks can be minimised by adopting password managers with single-sign-on (SSO) and passwordless MFA to act as the moat for your company to deter cybercriminals."
"The new OAIC Notifiable Data Breaches Report confirms what many in Australia's security industry know already, and that is that we must do more to achieve heightened security awareness and indeed higher prioritisation of security best practices at an organisational level," said Pieter Danhieux, co-founder and CEO, Secure Code Warrior. "The numbers around breaches caused by human error have shot back up from where they were in the first 2021 report, and while malicious or criminal cyberattacks have had a slight downward trend, the consequences of such a breach can be devastating. With the healthcare sector being the highest reporting industry, experiencing almost one in five of all reported incidents, the potential disruption to vital services is concerning. These same criminal attacks are also successful in eight per cent of cases as a result of hacking, and while this number may seem small, there is a worrying trend of some breaches resulting from this attack vector taking much longer to discover and report, giving threat actors a significant advantage in making away like bandits with large volumes of sensitive data. While there is no breakdown of how exactly the systems and software were compromised in the relevant reported breaches, common ways that attackers can infiltrate are by exploiting security bugs in code, and security misconfiguration, both of which can be mitigated by security-aware developers. However, until we get serious about providing comprehensive training in secure coding and enabling every developer to share the responsibility for security, they will continue to be a rare commodity in most organisations."
"The report suggests that the upward trend of user-sourced breaches continues, where the actions of a staff member or other trusted party are used to gain a foothold into an environment. As perimeter defences become more effective, threat actors have turned their attention to social engineering, primarily via email and compromised credentials to gain entry. The approaches of least privilege and segmentation are highly effective at containing the impact of a breach, ideally limiting consequences to one of an inconvenience rather than crippling an organisation altogether,” said Sash Vasilevski, principal, Security Centric.
"As many companies take steps to ensure that they can emerge stronger from the pandemic, this latest OAIC report shows that malicious or criminal activity remains omnipresent and responsible for the majority of data breaches suffered by enterprises. As compromised credentials and ransomware were responsible for more than one in four data breaches in this latest report, businesses really need to appreciate that compromised credentials relating to privileged accounts or users are often the first step in a ransomware attack. Indeed, criminals leverage the privileges associated with an individual account to move through an organisation until they reach the “crown jewels” of the company," said Scott Hesford, director of solutions engineering, Asia Pacific and Japan, BeyondTrust. "We continue to see compromised credentials be amongst the most significant causes of data breaches in Australia. Organisations storing information should look to implement multi-factor authentication to better secure key accounts alongside password management solutions that help to discover, manage, audit, monitor and secure the credentials of privileged accounts. Additionally, it is worth noting that many managed privileged accounts contain privileges in excess of what they need for any given task. Organisations should also consider implementing tools that can assign specific privileges to accounts based on what they should be used for. Ultimately, today, data protection is of the utmost priority and organisational IT teams must have clear visibility to rapidly detect and neutralise any security threats that may arise."
"Based on the current OAIC report the six% increase in notifications from the previous report is alarming as 41% of data breaches are coming from human error with 43% being from personal information being emailed to the wrong recipient. This makes it imperative for companies to continue to invest in security awareness training in certain subject areas for their staff with the inclusion of an overall security product offering implemented. With the health sector remaining the highest reporting industry sector notifying 18% of all breaches, it’s important that they continue to improve on all aspects of security such as protecting all devices, planning for the unexpected, limiting access outside of the network and creating and building a great security culture with all internal users. It is however pleasing somewhat to see that ransomware incidents have dropped 11% from the previous reporting period suggesting that emails and the like are being looked at more carefully before any action is taken," said Anthony Daniel, regional director, Australia, New Zealand and Pacific Islands, WatchGuard Technologies.
"Malicious cyber activity continues to plague Australian organisations and leave behind a destructive wake, with the OAIC's latest update revealing 55% of data breaches in the July to December period were a direct result of criminal cyber activity and almost a quarter of cyber security incidents leading to breaches caused by ransomware," said Derek Cowan, director of systems engineering, Asia Pacific and Japan, Cohesity. "Australia's public and private organisations must consider how they can augment their current security posture by embracing next-gen data management practices to better govern, manage, and protect their data. It's little surprise that the healthcare, legal, and financial services sectors are being targeted, due to the volume of sensitive data or crown jewels for malicious actors. To help thwart malicious cyber incidents and minimise their impact, organisations need to enhance their security postures by embracing next-gen data management capabilities that allow them to: utilise immutable backup snapshots, ensure their data is encrypted at transit and in rest, enable multi-factor authentication, detect potential anomalies via AI/ML, employ zero trust principles, and reduce their overall data footprint caused by mass data fragmentation."