Notified data breaches report overview (July to December 2019)

Notifiable Data Breaches Report

The Office of the Australian Information Commissioner (OAIC) has released their latest report on data breach incidents between July 1 and December 31, 2019. According to the report, organisations suffered 537 breaches in total, much higher than the 460 in the first half of 2019. The largest source of these breaches came from malicious or criminal attacks (64%), followed by human error (32%) and faulty systems (4%).

The types of data compromised included contact and identity information, financial and health records, and tax file numbers (TFN). Most breach incidents also affected 100 individuals or fewer, but there were some cases that involved one million or more individuals’ personal information.

Similar to previous OAIC reports, five industries were highly susceptible to data breaches.

1. Healthcare

The private healthcare sector is still the most vulnerable industry in Australia, with 117 data breaches. Although human error was the largest source of healthcare breaches in the past, malicious attacks have become more prominent.

Phishing, in particular, contributed to 17 data breach cases, suggesting that employees are not getting adequate security training. Healthcare workers were even sending sensitive information to the wrong recipients.

What’s more, rogue employees, theft of paperwork or storage devices, and ransomware attacks also increased. This is largely because health records and identity information are worth a lot of money. Cybercriminals can sell medical information on the black market or use them to get fake prescriptions. Meanwhile, healthcare institutions will likely give in to ransomware demands because they need patient information for life-saving treatments.

2. Finance

Finance retains its position as the second most breached sector, reporting a total of 77 incidents. Of these incidents, 30 are attributed to human error like unauthorised disclosure of information and data sharing mistakes. There were also seven cases where system faults enabled unintended access and release of personal information.

Much like the healthcare industry, however, malicious and criminal minds caused many of the breaches in the finance sector. Most data breach cases stemmed from rogue employees, phishing, and compromised credentials. This doesn’t come as a surprise since finance companies are a lucrative target. They manage a host of capital and finance-related information that are worth top dollar to competitors and cybercriminals.

3. Education

The education sector reported 49 cases between July and December, making them the third largest source of data breaches in Australia. A majority of breaches were a result of malicious attacks like compromised credentials and stolen paperwork. Such cases indicate that faculty members and administrators have poor password hygiene and data management.

Another important detail is that human error like misplaced devices and unauthorised disclosures was responsible for 16 breaches in education. This highlights the need for better security training across all educational institutions.

4. Legal, accounting, and management services

Legal, accounting, and management services companies suffered 40 data breaches, most of which were caused by malicious attacks. Credential hacking and phishing attacks were huge issues for this sector, especially since they manage highly sensitive data. These types of attacks are also more frequent because legal, accounting, and management employees may not be properly briefed on security best practices.

5. Personal services

Trailing behind the legal services sector is personal services at 23 data breach notifications. Like the previous industries, this sector suffered most from malicious attacks like phishing and theft of paperwork.

One reason for this is that personal services companies store identity and contact information that are valuable to cybercriminals. Personal services companies may also mistakenly assume that they’re not as big a target as healthcare institutions, which could lead to subpar security measures.

Key lessons learned

Considering that most of the breaches between July and December 2019 involved malicious or criminal attacks, security measures must be strengthened. For one, organisations must implement advanced firewalls, intrusion detection systems, and email security software to mitigate threats. Limiting access privileges is also a great way to minimise the risk of rogue insiders. At the same time, employees should enable multifactor authentication and set long, complex passwords that are unique to every account.

However, the most important lesson of all is that security training cannot be dismissed. Every breach reported to the OAIC — whether it be unauthorised disclosures or phishing — can be prevented with proper training. Staff should be taught who they can share sensitive information with, how to keep their data safe, and how to identify an online scam. By regularly training employees on security best practices, your company can avoid being another statistic.

Managing cybersecurity is never an easy task. Employees make mistakes and cybercriminals are always evolving, but Empower IT can ensure your data’s safety. We provide your business with top-tier cybersecurity solutions and expert guidance to keep your assets safe. We even offer training recommendations so your employees develop good security habits. Call Australia’s leading managed IT services provider today