The notifiable data breach regime under the Privacy Act 1988 (Cth) has now been in place for a little over 12 months. Earlier this week the Office of the Australian Information Commissioner released a 12-month Insights Report which contains some interesting statistics and observations.
Statistics – notifiable data breaches
Extrapolating from the full-year statistics for the notifiable data breach scheme, it’s clear that in the foreseeable future we can expect large numbers of breaches to be reported to the OAIC and notified to individuals. To date, over 200 breaches have been reported to the OAIC in every full quarter since the scheme commenced.
In the full-year period from April 2018 to March 2019:
While human error is second in the above list, a majority of data breaches involved a human element. In the case of malicious attacks, this includes clicking on a link that results in the compromise of user credentials.
Indeed, “phishing” was the most common type of malicious breach reported. In a “phishing” attack an individual is contacted by email or text message by a fraudster posing as a legitimate institution (for example the individual’s employer or a supplier such as Microsoft) to encourage the individual to provide personal information or login/password details. The fraudster can then use these details to gain access to systems using the individual’s credentials.
Lessons for organisations
There are a number of useful things organisations can learn from this report, including the following:
That means that if an organisation is able to identify a data breach and move quickly to address it, the organisation may be able to head off the misuse of credentials by a third party. Organisations should encourage staff who realise they have “clicked on something they possibly shouldn’t have clicked on” to report this as soon as possible, embarrassing as it may be to do so.
The OAIC’s expectations and approach
The OAIC states in the report its expectation that organisations will act on the highlighted risks and take steps to prevent further data breaches. It expects that:
Finally, the report states that organisations should by now be aware of their obligations under the notifiable breach scheme.
While the OAIC’s approach in the first year of the scheme’s operation was largely to educate organisations about the scheme and how to avoid and manage data breaches, moving forward the OAIC “will consider regulatory action for organisations that fail to respond appropriately” to a data breach.