The Notifiable Data Breaches Scheme (NDB) (February 2018) brought about new obligations to those public and private sector organisations already subject to the Privacy Act 1988(Cth).
Since February 2018, the Office of the Australian Information Comissioner reports a 700% increase in data breach notifications.
Key Lessons Learned
Top Reporting Sectors
The Top Reporting Sectors have been Health, Finance, Legal, Education and Personal Services. More than one third of all breaches (36%) reported by the Healthcare Sector alone.
Data Breach Causes...Gone phishin'...
It is not surprising that one year on the main cause of breach is compromised credentials via a phishing attack.
Compromised or stolen credentials underpinned most cyber incidents that led to data breaches in the first year of the NDB scheme.
Phishing provides one explanation for how cyber attackers gain access to credentials. So‑called ‘credential phishing’ typically involves attackers tricking a user into giving up their login details by emailing them a link to a realistic looking login page for a service they trust. Common examples include password reset requests that purport to be from legitimate web‑based email providers such as Gmail or Office 365. When the user enters their login details into the fraudulent site, they are handing over their credentials to cyber attackers.
Credentials obtained this way account for 39 per cent of cyber incidents. However, in 28 per cent of cyber incidents, the notifying entity was not aware of how the credentials were obtained, most likely because they had not detected any phishing‑based compromise.
Types of information breached
The graphic below shows the kinds of of data breaches by the types of personal information involved, during the period 1 April 2018 to 31 March 2019.
Next Steps
The NDB scheme provides valuable insights into the reasons data breaches have occurred, and how organisations can improve their security posture and processes to minimise the risks of a data breach. In relation to statistical reports issued over the course of the last year, the OAIC has previously stated: “We expect organisations and agencies to act on the risks highlighted by these reports ― whether or not they were directly affected ― and take steps to prevent a similar breach of Australians’ personal data.”
After a full year of operation of the NDB scheme, entities should now be fully aware of their obligations and have in place processes to notify and minimise harm to individuals. The OAIC will consider regulatory action for organisations that fail to respond appropriately, including issuing a direction to notify under s 26WR of the Privacy Act to entities who improperly delay or fail to notify eligible data breaches. The OAIC can also conduct an investigation where there are serious concerns about an entity’s compliance more generally with the Australian Privacy Principles.
At PRACSEC we understand the challenges in protecting from and identifying data breaches using traditional methodologies. Our Solutions and Services are designed to provide immediate value and raise your organisation's security posture and capability in preventing and identifying data breaches.
Call us on 1300 23 20 20 or email us at info@pracsec.com.au and let us show you how. Our first Security Assessment and report is free.