More than half of all the data breaches reported to Australia’s Information Commissioner under new laws were caused by human error.
According to the first Notifiable Data Breaches (NDB) quarterly report, published by the Office of the Australian Information Commissioner (OAIC), 63 notifications were received during the first six weeks of the scheme.
In the 2017 financial year, the OAIC received 114 voluntary data breach notifications.
As reported by ARN, the OAIC had already received 31 breach notifications in the three weeks after the NDB scheme was effective, on 22 February.
The Government’s mandatory data breach notification legislation, Privacy Amendment (Notifiable Data Breaches) Bill 2016, was introduced in Parliament in late 2016, and was passed into law in February 2017.
Out of the 63 notifications received, 51 per cent “indicated” that the cause was human error, 44 per cent were the result of malicious or criminal attack and three were the result of system faults.
Human error may include inadvertent disclosures, such as by sending a document containing personal information to the incorrect recipient.
As reported by sister publication, Computerworld, a recent study by telecommunications vendor, Verizon, revealed that businesses are still falling behind when it comes to employee awareness training and patching vulnerabilities.
“People are getting hammered with white papers and invites to conference talks and things that say ‘You definitely need artificial intelligence in your SIEM’ or whatever,” Verizon principal consultant, Chris Tappin, said. “But people aren’t really doing the basics.”
From the 63 notifications received by OAIC, 78 per cent involved individual’s contact information such as name, email address, home address or phone number, out of those, 73 per cent involved the information of less than 100 people with just over half of the notifications (59 per cent) involving the personal information of between one and nine individuals. Also, 27 per cent of notifications under the NDB scheme involved more than 100 individuals.
Notifiable Data Breaches Quarterly Statistics Report: January 2018 – March 2018 (OAIC)
Also, 33 per cent of all data breaches received were reported to involve people’s health information and 30 per cent financial details. Identity information, such as driver licence numbers and passport numbers, involved in breaches accounted for 24 per cent and 14 per cent had tax file numbers breached.
Five sectors were at the top of the data breaches notifications with health service providers at the top with 24 per cent of all reported notifications followed by legal, accounting and management services with 16 per cent.
Govt gets over 30 data breach notifications in three weeks under new disclosure laws.
Finance came third with 13 per cent, then private education with 10 per cent and charities with six per cent.
According to the 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business, according to the OAIC.
“A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts,” OAIC acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said. “This can reduce the overall impact of a breach.
“Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks,” Falk added.