Notifiable data breaches report: A brief overview (April to June 2019)

Notifiable Data Breaches Report

Recent figures by the Office of the Australian Information Commissioner (OAIC) show that data breaches are increasing yet again. According to the second quarterly statistics report on the Notifiable Data Breaches scheme, 245 data breaches were reported to the OAIC. This was a 14% increase from the first quarter’s 215 breaches.

While there was a significant increase in cybersecurity incidents, data breach trends remain consistent with previous quarters. Most breaches were attributed to malicious attacks (62%), followed by human error (34%), and system failures (4%). Most breach incidents affected between 1 and 1,000 people, but there was a case that affected more than 10 million individuals.

Similar to previous reports, contact information and financial details were the most breached data. Even the top five highest reporting sectors are the same as in the first quarter of 2019.

1. Healthcare

The private healthcare sector reported 47 breaches between April and June, making them the most affected sector yet again. Over half of these breaches were a result of human error such as misplaced paperwork and unauthorised disclosure of information. Other breaches were far more malicious, including theft of paperwork, stolen credentials, and insider threats.

The private health industry has always been a prime target for attacks, especially since they have access to sensitive information. However, they’re also vulnerable to data breaches because of poor data management practices.

Loss and theft of paperwork suggest that many healthcare institutions are still using traditional filing systems. Meanwhile, stolen credentials and unauthorised disclosures indicate that healthcare staff do not receive regular cybersecurity training. 

2. Finance

There were 42 breaches reported by the finance sector, and most were caused by malicious attacks.

Phishing and compromised credentials, in particular, were common in this sector largely because they’re easy for cybercriminals to execute. Finance firms usually invest more in advanced cybersecurity measures than other sectors to mitigate cybersecurity risks. However, hackers know that these measures can be evaded by targeting weak passwords and careless employees.

Hacking financial data also leads to huge payouts for cybercriminals, which is why this sector is attacked so frequently.

3. Legal, accounting, and management

Out of the 24 breaches reported by the legal, accounting, and management services sector, 15 resulted from malicious attacks. Phishing was the biggest problem, implying that hackers are using more sophisticated scams to fool their victims.

In fact, business email compromise scams, in which hackers gain access to corporate email accounts and assume the owners’ identity, were common. These types of email fraud are highly effective because they prey on the target’s trust. They also target accounting staff who are authorised to make wire transfers, making this sector particularly vulnerable.

4. Education

Private education providers suffered 23 data breaches in the second quarter, mostly due to phishing and compromised credentials. Since these threats rely on users making mistakes, it’s clear that students and faculty members lack comprehensive security awareness training. Also, multifactor authentication (MFA) may not be widely adopted in schools, which is why breaches through stolen credentials were so prominent.

5. Retail

Almost all of the breaches reported in the retail industry were caused by some form of malicious attack. Retailers fell victim to ransomware, malware, stolen credentials, phishing, hacking, and brute force attacks.

One reason for this trend is that retailers are implementing more diverse networked technologies. Self-service kiosks, mobile payment systems, automated displays, and public Wi-Fi access increase the potential entry points into a company’s network.

What’s more, many retailers operate without uniform security measures and policies, making them an easy and appealing target.

What does this mean for organisations?

Even though malicious attacks continue to be the biggest source of data breaches, spending more money on cybersecurity tools isn’t enough. Lost paperwork, hijacked accounts, and phishing attacks will continue to occur unless organisations provide regular cybersecurity training for their staff.

This means employees must be taught about the latest scams, proper file management, and password best practices. Then, organisations should test their employees’ security awareness with practical exercises and simulated real-world attacks. Doing this while implementing powerful cybersecurity solutions can go a long way in combating ever-evolving threats.

Preventing human error and malicious attacks can be daunting to do on your own, which is why Empower IT Solutions is here to help. As a leading managed IT services provider in Australia, we offer customised cybersecurity solutions and services for your organisation. Give us a call today to keep your business safe. 

Download: notifiable data breaches infographic (April – June 2019)