The number of data breaches caused by ransomware attacks has increased by more than 150% compared to the previous six months, says the Australian Information Commissioner (OAIC) in the latest Notifiable Data Breaches (NDB) Report for January to June 2020.
According to the OAIC, malicious or criminal attacks accounted for 64% of all notifications between July and December 2019. Although malicious or criminal attacks were the biggest source of data breaches, human error accounted for 170 breaches in the reporting period. This includes unintended publication or release of personal information (24%), loss of data storage devices or paperwork (11%), and sending personal information to the wrong recipient via email (29%).
The latest Notifiable Data Breaches Report for January-June 2020 noted that human error data breaches accounted for 39% of notifications in May alone.
“The report shows that more human error data breaches were reported in May, accounting for 39% of notifications that month, compared to an average of 34% across the reporting period,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk.
“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.”
“Organisations must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.”
The health sector was once again the highest reporting sector, notifying 22% of all breaches. Intriguingly, the OAIC found that human error caused 57% (65 notifications) of data breaches in the health sector, while 40% of breaches were caused by malicious or criminal attacks. In the January-June 2020 reporting period, health service providers reported 115 data breaches to the OAIC, down from 117 in the last reporting period.
Other key findings for the January-June 2020 reporting period:
- Most breaches affected less than 100 individuals, in line with previous reporting periods.
- Contact information remains the most common type of personal information involved in a data breach.
- 518 breaches were notified under the scheme, down 3% from 532 in the previous six months.
Data Breach Notifications: Getting It Right the First Time
While the number of data breaches resulting from human error dropped to 32% in July-December 2019 (down from 34% in the previous report), human error remains the second-largest source of data breaches. This information amplifies the need for organisations in Australia to consider individuals as an essential part of their security policies.
When an agency or organisation covered by the Privacy Act 1988 believes a serious data breach has occurred, they must notify every individual that is at risk of serious harm. Examples of serious harm to an individual include identity theft, serious psychological harm and financial loss through fraud.
Although most entities that reported a serious data breach between July and December 2019 provided “practical guidance” to affected individuals, the report noted that some initial notifications did not meet the requirements of the Notifiable Data Breaches scheme. Entities also failed to include recommendations about the steps individuals should take in response to data breaches in the January-June 2020 reporting period. In these instances, the Australian Information Commissioner requested a re-issue of the notification to include practical guidance necessary to help individuals reduce the risk of serious harm as a result of a data breach.
“A number of notifications also fell short of the standards required, in failing to identify all the types of personal information involved and not providing advice to people affected on how to reduce their risk of harm,” Commissioner Falk said.
Data breach notifications that lack the correct information and/or are sent too early with limited information can cause more harm to both the individuals involved and the reputation of the company. That being the case, it is important that entities get notifications right the first time. Entities can do this by ensuring the data breach notifications hold enough information to give individuals affected a greater chance to protect themselves before serious harm occurs.
Before notifying individuals, agencies and organisations should also carry out an extensive investigation in order to provide enough information to those affected by the breach to reduce their risk of harm.
As a security analyst working in Beijing in 2008, I struggled to connect to basic websites like Facebook and Wikipedia (coincidentally, many more websites are banned in China today than were then). Naturally, I started looking for a solution. VPN services were, at the time, security tools used by large I.T. companies or cybersecurity professionals.