Notifiable data breaches report: A brief overview (January to June 2020)

Notifiable Data Breaches Report

The Office of the Australian Information Commissioner (OAIC) publishes regular reports on companies that report data breaches within a given half-year period. From January to June 2020, there were a total of 518 data breaches, which is a 3% decrease compared to the previous six months. On average, each breach affected 100 individuals or fewer. Plus, the most compromised data included contact details, identity information, financial records, and health records.   

As in previous reports, there were five industries in Australia that reported the most data breaches to the OAIC. These include: 

1. Health service providers

Following the same patterns from previous OAIC reports, healthcare organisations continue to suffer the most data breaches in Australia. Out of the 115 breaches reported by the sector, 40% were caused by malicious attacks, while 57% resulted from human error. 

Up to 26 data breaches reported by healthcare companies involved employees sending sensitive information to the wrong recipient. These mistakes may be more common due to more organisations working remotely, where sending information via email is the norm. Healthcare personnel like those in billing and intake coordination may also not have received adequate data management training.  

In addition to human error, many cyber incidents such as phishing scams (11 breaches), stolen credentials (7 breaches), and ransomware attacks (4 breaches) affected healthcare. This is largely due to the fact that healthcare and the data they manage have always been a prime target for hackers. Health and identity information are worth a premium on the dark web, and they can be used to fuel insurance fraud and obtain fake prescriptions. It also doesn’t help that cybercriminals are using increasingly manipulative tactics to trick victims into clicking links and sharing personal information. 

2. Finance

In the financial services sector, there were a total of 75 data breaches reported between January and June 2020. Unlike the healthcare industry, a majority of data breaches (59%) resulted from malicious or criminal attacks. These attacks run the gamut from phishing scams and hacking system vulnerabilities to social engineering and rogue insider threats. 

Malicious attacks targeting finance is nothing new since hackers can turn an easy profit with bank details and other financial information. However, the sudden deployment of work from home arrangements to prevent the spread of COVID-19 poses new challenges for the industry. Finance personnel may lack the same comprehensive security measures found in on-premises networks, making them particularly susceptible to attacks. Plus, without proper monitoring mechanisms for remote workers, it’s easy for someone to deliberately or accidentally mishandle sensitive information.   

3. Education

Education was the third most vulnerable industry, with 44 breaches in the first half of 2020. While malicious attacks like phishing and stolen credentials were reported by institutions, human error made up 52% of data breaches. Among the human error-induced breaches, sending information to the wrong email recipient and unauthorised disclosure of information were the most frequent. Meanwhile, system faults that gave outsiders unintended access to sensitive information occurred in four different cases. 

These findings indicate that educational institutions still lack the training and security measures to prevent data breaches. Human error and system faults were also more prominent than in previous reports, suggesting that institutions are struggling with data management in new working environments. 

4. Insurance

Insurance made a big entrance into the top five most breached industries, with 35 data breaches. A whopping 80% of these breaches came from malicious attacks, namely social engineering and impersonation. 

One explanation for this trend is that the insurance industry stores plenty of contact details and financial information that can be used to commit fraud. At the same time, it’s often easier for cybercriminals to infiltrate systems by masquerading as insurance holders and personnel. 

5. Legal, accounting, and management services

The legal, accounting, and management services industry reported 26 breaches, which is a 35% decrease from the previous OAIC report. The most common sources of data breaches consisted of phishing attacks (7 breaches) and mailing information to the wrong recipient (4 breaches). 

The decrease in reported breaches could mean that hackers are setting their sights on more susceptible targets, but trends can quickly change. After all, legal, accounting, and management services businesses still hold plenty of contact and identity information that are extremely valuable to cybercriminals. 

How can companies prevent these data breaches?

With the mass transition to remote work, it’s now more important than ever for companies to review and fortify their existing security measures. They need threat prevention tools, encryption systems, endpoint protection, anti-malware software, email security software, and ongoing network monitoring. Meanwhile, to defend against compromised credentials and impersonation attacks, companies must enable multifactor authentication and strict access restrictions.

Also, since many of the reported data breaches stemmed from human error, security training is absolutely essential. Employees need to learn how to identify and avoid phishing emails, set strong and unique passwords, and safely handle and share sensitive information. More importantly, training needs to be frequent and engaging to produce meaningful results, so businesses can prevent the costly repercussions of data breaches.  

If your business manages sensitive information in any capacity, Empower IT can implement a data security strategy tailored to your business. As Australia’s leading managed IT services provider, we offer advanced security tools, training, and expertise. Contact us now to avoid becoming just another data breach statistic.