Notifiable data breaches report: A comprehensive breakdown (July to December 2020)

Notifiable Data Breaches Report

Data breaches continue to be a recurring issue for Australian industries. According to the Office of the Australian Information Commission, there were 539 breaches reported between July and December 2020. Malicious attacks are responsible for 310 of these breaches, but human error-induced breaches have also increased by 18% from the previous six months. 

Many experts believe that there were more data breaches during this period because new remote work policies led to the implementation of vulnerable business processes. Cyberattacks exploiting distributed workforces and COVID-19 panic explains why breaches through malicious attacks remain so high. 

Here’s a comprehensive breakdown of how the top five most breached Australian industries fared: 

1. Health service providers

Healthcare organisations again experienced the most data breaches in Australia, reporting 123 breaches. Among those, 57% of breaches were attributed to human error and 41% were due to malicious attacks. 

Human error-induced breaches largely consisted of employees sending personal information to the wrong recipients (47 breaches) and failure to use BCC when sending emails (8 breaches). More remote healthcare staff are relying on emails to share information, but they don’t necessarily have adequate protection and training at home. This means that staff are more likely to make mistakes when handling sensitive data. 

As for malicious attacks, threats like rogue employees (10 breaches), theft of paperwork (9 breaches), and phishing (11 breaches) were the common culprits. Healthcare organisations also reported 6 cases of ransomware attacks, which was the highest among all Australian industries. Malicious attacks are prominent in healthcare because health and identity information are extremely valuable commodities for cybercriminals. Plus, organisations’ processes and systems may not have been properly adapted to remote work, making them more susceptible to threats. 

2. Finance

The finance industry reported 80 data breaches between July and December, which is 5 more than those reported in the first half of 2020. In contrast to data breaches in healthcare, malicious attacks were the most common source of data breaches within this industry, accounting for 66% of breaches. Financial firms fell victim to various attacks, including social engineering (11 breaches), theft of storage devices (9 breaches), and stolen credentials (7 breaches). Meanwhile, only 28% of data breaches were caused by human error incidents like unauthorised disclosure of information. 

One reason why malicious attacks are so frequent is that cybercriminals have a higher propensity to target organisations for monetary gain. With access to financial details, tax file numbers, and contact information, cybercriminals can defraud victims of thousands of dollars. 

3. Education

Data breaches reported by educational institutions went down from 44 to 40 between the first and second half of 2020. Despite this, the sources of data breaches are still consistent with previous reports. Human error was responsible for 62% of the data breaches, while 32% involved malicious attacks. 

Mistakes like sending information to the wrong email recipient (14 breaches) and unintended publication of data (5 breaches) were the biggest problems. Additionally, education was highly susceptible to hacking (4 breaches) and insider threats (3 breaches). These issues could be indicative of how educational institutions don’t have the sufficient protections necessary to prevent security incidents. On top of that, faculty members and administrative staff worked from home during this period with little oversight over data usage and management.  

Legal, accounting, and management services organisations suffered 38 data breaches, 71% of which were due to malicious attacks. The industry was especially susceptible to phishing scams (9 breaches) and stolen credentials (8 breaches) most likely due to increased online activity. 

Although the internet and cloud applications allow the industry to transition to remote work arrangements, it also increases exposure to risk. Employees can easily give away their passwords or fall for online scams without the safety net provided by a corporate network.  

5. Australian government

For the first time, the Australian government became the fifth most breached sector in 2020, with 33 breaches in total. Of these, 87% were caused by human error, such as unauthorised disclosures and staff sending sensitive information to the wrong recipient. Government agencies also reported 2 malicious attacks involving social engineering and brute force methods. 

The sudden surge in data breaches suggests that agencies may be struggling to regulate remote or hybrid working arrangements. Since government staff are working from home, they’re now accessing classified systems outside the protection of government-approved cyber defences. Plus, security advisories may not have been fully updated to account for new working arrangements. These leave many government agencies without any means to monitor and mitigate the vulnerabilities that employees may inadvertently create. In fact, breached government agencies were slow to any issues, with up to 15% taking between 121 and 365 days to detect an incident. 

How can Australian companies defend against data breaches?

Every organisation that handles personal information must take proactive measures to minimise the risk of data breaches. They need tools like endpoint protection software to secure company-managed devices, email security software to fend off phishing attacks, and constant network monitoring. Role-based access restrictions and multifactor authentication are also essential for preventing data breaches through compromised credentials. 

However, developing a vigilant and security conscious workforce is by far the most important component to data security. If employees know how to spot phishing scams, create strong passwords, and share information with the right people, businesses won’t have to pay dearly for a massive data breach. 

If your business is lacking in any of these areas, you need to talk to Empower IT experts. We’re a leading managed IT services provider that can give you access to world-class cybersecurity solutions, training, and support. Call us now to get started.