This week the Office of the Australian Information Commissioner (OAIC) released its quarterly statistics report of Notifiable Data Breach (NDB) Scheme (Report). The Report shows trends and developments about notifications made under the NDB scheme in the period 1 April to 30 June 2019.
Data breaches across sectors – Health still highest but finance catching up
There were 245 disclosed breaches in the quarter – the second highest number of breaches in a quarter over the past year.
In this quarter the health sector (particularly private health providers) recorded the highest number of breaches (19%). The finance sector was a close second (17%).
As shown by the bar graph below, of the 42 data breaches notified by the finance sector this quarter, 50% (21) were caused by malicious attacks, 18 were caused by human error and 3 were caused by system faults.
This is contrasted with the previous quarterly report (for the quarter 1 January to 31 March 2019) where a total of 28 notifications were reported from the finance sector, of which 16 were caused by malicious or criminal attack and 11 were caused by human error.
This quarter the OAIC has seen a significant spike in the number of reported breaches from the finance sector where the underlying cause has been human error.
Categories of Information accessed
Across all sectors, the top category of personal information involved in notified data breaches in this quarter was contact information (220 notifications). A graph showing the breakdown of kinds of personal information accessed in reported data breaches this quarter is shown below.
In the previous quarter notifications where disclosure of contact information was reported as 186. This quarter the number has jumped to 220 – an 18% increase in the number of notified breaches where contact information has been accessed.
Sources of data breaches – remained relatively consistent
In terms of percentages, the sources of data breaches in this quarter has remained relatively consistent with the previous quarter. Malicious/criminal attacks accounted for 62% (as opposed to 61% the previous quarter), human error accounted for 34% (as opposed to 35%) and system faults accounted for 4% (unchanged).
The key message is that the finance sector is seeing a substantial increase in reported breaches, particularly an increase in the number of breaches that have been caused by human error.
The increase in reported data breaches in the finance sector is particularly troubling, given that earlier this month a new data breach occurred wherein the personal data of 92,000 banking customers was exposed. This was reportedly caused by a vulnerability in the PayID real-time payments system that is owned by the big four banks and 11 other financial institutions. It is the second PayID related data breach within a span of three months.
In the circumstances, the finance industry as a whole is under significant pressure to shore up their security systems and take all measures necessary to avoid repeated inadvertent disclosures of personal information.
Moving forward the OAIC will report every six months on notifications that they receive under the NDB Scheme.