Gone phishin’: New OAIC report
Angelene Falk: Phishing and human error are still big cyber problems across Australia
More than two data breaches are being reported by Australian companies each day, with phishing attacks on the rise, according to the latest Office of the Australian Information Commissioner report.
There were 245 breaches reported to the OAIC from July to September this year as part of the mandatory data breach notification scheme, with the majority the result of malicious or criminal attacks.
The health sector was again the most impacted by data breaches, followed by finance and legal, accounting and management services.
The data breach scheme requires all Australian government agencies and any organisation or company with annual turnover of $3 million or more to notify individuals and the OAIC if personal information has been exposed as part of a breach that is likely to cause “serious harm”.
The report shows that data breaches have continued to grow, with 60 reported in the first two months of the scheme and 242 in the previous quarter’s report.
Nearly 60 per cent of reported breaches in the last quarter were caused by malicious or criminal attack. These attacks are “deliberately crafted to exploit known vulnerabilities for financial or other gain” and include phishing, malware, ransomware and hacking.
Australian Information Commissioner Angelene Falk said local companies and government agencies need to do a better job of educating staff on cyber attacks and security, and make it a common part of doing business.
“Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day,” Ms Falk said.
The latest quarter saw an increase in the number of phishing attacks, which caused 20 per cent of all reported breaches.
Phishing occurs when an individual is contacted by email or text message by someone posing as a legitimate institution to lure them into providing passwords or personal information. This can result in their credentials being compromised.
Nearly 40 per cent of the breaches were the result of human error, including an individual sending an email to the wrong address, unintended publication of information or the loss of paperwork or a storage device.
One of the largest breaches reported also included the failure to redact personal information from a large disclosure of data.
Sixty per cent of the breaches impacted 100 or fewer individuals, while two impacted more than 100,000 people.
The most commonly accessed information was contact information, followed by financial details and identity information.
The quarterly report follows the OAIC’s appearance at a senate estimates hearing last week where its’ funding and resources for the data breach scheme were questioned.
The OAIC has nine staff working on the scheme, and has not received any additional funding to oversee it.
“It has been an additional workload for the agency. There were no additional resources provided for that function, so I’ve prioritised the work within the existing resource allocation. We’re looking for, and implementing, greater efficiencies in the way that we carry out that work,” Ms Falk said.
The number of more complex data breaches being reported to the OAIC has also resulted in longer waits to resolve the inquiries, Ms Falk said.
“We’ve received a number of matters that have involved an organisation that might carry on a business that provides services to others where those notifications affect individuals not only from one business but to several businesses,” she said.
“So, they add an additional level of complexity in terms of assisting those businesses to respond.”