The Australian Information Commissioner and Privacy Commissioner, Angelene Falk (pictured), launched this year’s Privacy Awareness Week (12 to 18 May 2019) under the theme “Don’t be in the dark on privacy”.
To coincide with the awareness campaign, the Office of the Australian Information Commissioner (OAIC) released its Notifiable Data Breaches Scheme 12-month Insights Report, the first full year since mandatory data breach reporting rules for Australian businesses came into force.
Between 1 April 2018 and 31 March this year, the scheme recorded 964 data breach notifications — a 712 per cent rise on the previous year, when reporting was only voluntary rather than mandatory.
Of those, almost two-thirds (60 per cent) were found to have been the result of malicious or criminal attacks. A further 35 per cent was attributed to human error, with just 5 per cent being caused by system faults.
What caused these data breaches?
According to the report, phishing scams were the most common cause of a data breach, accounting for 153 of the reported incidents nationwide.
Concerningly, more than one in four (28 per cent) of the reported cyber incidents occurred where details had been obtained “by unknown means” — the second most common type of breach.
Targeted “brute-force attacks” accounted for 39 incidents. Hacking, ransomware and malware were responsible for 24 incidents each.
And while it is large-scale data breaches of well-known companies that tend to make headlines, the report found that 83 per cent of reported breaches affected fewer than 1,000 people.
Types of human errors giving away data
With a third of data breaches being the result of human error, the report delved deeper to identify which types of mistake are most commonly giving away data.
Erroneous emails, where personal information was sent to the wrong recipient, took the blame for 91 incidents, more than any other kind of human error. But sending information by post was not much more secure, with 42 incidents of information being posted the wrong recipient being reported over the past year.
Unauthorised disclosure or release contributed to a further 62 incidents, while the loss of paperwork or a data storage device was found in 46 incidents.
Other contributing mistakes included failing to use BCC when sending an email, failure to redact an unauthorised disclosure, insecure disposal of information and, in 11 cases, someone verbally giving away information that was not authorised to be divulged.
Most susceptible industries
If you work in the health services sector, you are most likely to inadvertently give away personal information, according to the report.
The industry accounted for a noticeably higher volume of reported breaches caused by both human error and malicious attack. In total, it accounted for 206 of the 964 reported breaches.
Finance was the next most susceptible industry (138 breaches), followed by legal, accounting and management services (100 breaches), education (75 breaches) and personal services (36 breaches).
People only care about security once attacked
“When you look back over the past five years, adoption of new technologies like mobile and cloud have completely transformed many industries for both consumers and businesses. All have come to expect access to services from consumers wherever they happen to be and at whatever time they need,” said Michael Warnock, Australian country manager at Aura Information Security.
“At the same time, cyber attacks demonstrate the vulnerable, expanded attack surface associated with greater cloud adoption.
“As organisations work to secure their applications and other sensitive assets in the cloud as part of their digital transformation strategies, these attacks demonstrate the need to quickly implement consistent security controls across cloud and on-premises environments to protect user privacy.”
Mr Warnock added that this needs to be a continual process of risk assessment, education and prevention, and not something to be considered only if and when the worst happens — in which case it is too late.
“After all, most people fail to only really care about cyber security until they are a victim of an attack,” he said.
“Cyber education in the workforce and awareness for individuals to manage their own privacy is not something people should do every 12 months with a few questions; it needs to be continuously reinforced and customised to front and centre of an organisation’s employee base.”
Consider the legal, business and compliance risks
Selwyn Black and Yue Lucy Han of Carroll & O’Dea Lawyers urged businesses of all size to take this opportunity to review their current practices, given the many far-reaching implications that a data breach can have on a business.
“Privacy Week is an important opportunity to check the privacy health of your business or organisation, particularly in light of the real legal, business and compliance risks and consequences of inaction,” the duo said in a statement.
“In an age where Facebook is saying that the ‘Future is Private’, a company built on extracting value from user data, it raises the question about whether it is time to view privacy as a matter of strategic importance rather than simple legal compliance.”
According to the lawyers, not all business are required to act under the Privacy Act, but all can benefit from reviewing the 13 Australian Privacy Principles.
“Generally speaking, if the annual turnover of a business is under $3 million, then it is most likely not required to comply with the Privacy Act 1988 (Cth),” they said.
“However, the beauty of the Australian privacy regulation framework is that it is principles-based. It is designed in a way to enshrine principles that help to foster and grow privacy-minded individuals and businesses.
“In light of Privacy Awareness Week, it may be beneficial for you and your business to review the 13 Australian Privacy Principles and apply them strategically to your business.”
They listed the principles as:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government-related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information