Update: View the latest NDBS report
The Office of the Australian Information Commissioner (OAIC) recently released its third quarterly statistics report on the Notifiable Data Breach (NDB) scheme between July and September 2018.
According to the OAIC, 245 breaches were reported by organisations in the third quarter, with each incident usually affecting between 100 and 1,000 people — though there were two cases that affected between 100,000 and 250,000 people. The types of data breached included financial records, health information, tax file numbers, personal information, and contact details.
The frequency of the breaches also varied depending on the industry, but the top four most vulnerable industries remain consistent with the second quarterly statistics report.
The private healthcare sector maintains the lead in notifiable data breaches, with 45 incidents reported to the OAIC. Much like the previous quarter, over half (56%) of data breaches were due to human error like sending personal information to the wrong email address, misplaced files, and unauthorised disclosure of data.
Malicious attacks on the industry also show no signs of slowing down. The number of phishing cases between the second and third quarter of 2018 increased from two to four. Meanwhile, breaches involving rogue employees and stolen paperwork were also on the rise.
Healthcare has always drawn unwanted attention from cybercriminals because hospital databases are packed with sensitive patient information that are extremely valuable on the black market. What’s more, the evidence shows that healthcare organisations don’t provide sufficient internal controls and training that prevent human error, making them more susceptible to attack.
The second largest source of data breaches was the finance industry, which reported a total of 35 breaches. Of those breaches, 17 were caused by human error, 16 were due to malicious attacks, and 2 resulted from technical issues.
The report found that the finance industry suffered the most from phishing scams, but brute-force, ransomware, and hacking attacks that require significant effort have also become more prevalent. This is because finance firms manage troves of bank information, credit card details, and tax file numbers that offer huge payouts to cybercriminals.
3. Legal, accounting, and management
There were 34 data breaches that affected legal, accounting, and management services between July and September, which is a huge increase from last quarter’s 20 breaches.
Phishing scams contributed most to the uptick, suggesting that the industry is ill-prepared for social engineering attacks. Additionally, the sheer volume of funds and personally identifiable information that go through legal, accounting, and management firms make them ideal targets for attack.
Private K-12 schools and universities received 16 data breaches caused by a combination of compromised credentials, phishing, and data sharing hiccups. One explanation for this is schools are increasingly IT reliant, but their system administrators have yet to ensure the proper use of devices, apps, and data. Another reason is most teachers and students are not trained on password best practices or defending against phishing scams, which puts schools at increased risk of data breaches.
5. Personal services
The personal services industry, which includes employment agencies, child care centres, and community services, reported 13 data breach incidents. Like other industries, mishandled data and phishing attacks accounted for a majority of breaches; these indicate poor employee training. What’s worse, this industry will likely be a bigger hacking target in the future since they collect thousands of contact information and personal records on a regular basis.
What should companies do?
Despite increasing investments on cybersecurity to prevent malware attacks and hacks, the past two quarterly statistics reports show that organisations still have a long way to go in terms of security awareness. Data breaches caused by human error continues to be a major concern, especially in the healthcare, finance, and legal sectors. More importantly, phishing attacks made up half of the reported data breaches in the recent quarter.
This means organisations must provide more comprehensive training that drills down on how employees can prevent unauthorised disclosures and avoid phishing attacks. Lecture-style classes are helpful for teaching employees security best practices. However, a more effective method would be to conduct practical exercises and simulate phishing attacks to prepare employees for real-world scenarios.
It’s clear that there’s a lot that goes into cybersecurity than merely installing antivirus software, but Empower IT Solutions can make things easier for you. Not only do we provide threat detection, email filtering, and encryption systems; we also offer security consulting and training customised for your industry. Contact us today to keep data breaches at bay.
Download our free notifiable data breaches infographic (July – September 2018)
View the NDB October – December 2018 report