In its Notifiable Data Breaches Statistics Report for April to June 2019, the Office of the Australian Information Commissioner (OAIC) said it had received 245 notifications under the mandatory reporting scheme.
That was up on the 215 recorded in the previous quarter, but below the 262 reports lodged in the December 2018 quarter.
While several hundred breaches per quarter may not seem much considering the number of businesses operating in Australia, Bede Hackney of global cyber security platform Tenable said “the reported 245 breaches is still high considering personal, healthcare and financial information are high-value assets that can be monetised by cyber criminals”.
“Australian organisations have a duty of care to protect customer information and need to be vigilant with managing, measuring and reducing their cyber risk,” Mr Hackney said.
Meanwhile, identity protection platform SailPoint’s Terry Burgess said the fact that the number of breaches being reported has been broadly stable in recent quarters is itself a cause for concern.
According to Mr Burgess, this suggests that “Australian businesses aren’t heeding the message that having the appropriate cyber security defences, coupled with staff education, is imperative”.
“The unfortunate reality is that many businesses continue to take a lassez-faire approach to cyber security, which is reflected in these reports,” he said.
“Business leaders need to put more effort into improving their security posture, which involves treating cyber threats the same way they treat overall enterprise risk. Only then will organisations reduce the likelihood of becoming a statistic in next quarter’s report.”
The five most vulnerable sectors
Health service providers recorded the highest number of data breaches of any sector, with 47 breaches, or almost one in five of all breaches reported.
The finance sector came in a close second, with 42 breaches in the quarter.
Rounding out the top five sectors were legal, accounting and management services (24), education (23) and retail (15).
“It’s concerning to see that health service providers have topped the charts again for the most breaches per quarter. Healthcare providers are natural targets for cyber attacks due to the wealth of personal and sensitive data they store,” Tenable’s Mr Hackney said.
“In today’s digital-everything world, it’s never been more critical for organisations from all sectors to ensure they are appropriately protected from emerging threats.”
How many people are impacted by these breaches?
The OAIC figures show that the vast majority of breaches affect less than 1,000 people each, but that figure quickly adds up given the number of breaches.
Of the 245 breaches last quarter, roughly one in four (61) impacted a single person.
There were also 43 breaches that affected between two and 10 people; 48 that impacted between 11 and 100 people; and 52 that hit up to 1,000 people.
The OAIC received one report of a data breach that impacted anywhere between 1 million and 10 million individuals.
In the case of seven breaches, it was unclear exactly how many people had been directly impacted.
What is causing data breaches?
According to the report, almost two-thirds of data breaches last quarter (62 per cent) were the result of malicious or criminal attacks, while 4 per cent were the result of technical faults with a system.
That left 34 per cent being the result of basic human error.
What personal data has been exposed?
Some people may be surprised to discover that financial information is not the most common type of information pilfered or exposed by a data breach.
The OAIC said that 90 per cent of all data breaches reported to it last quarter involved the loss of simple contact information.
Financial details were the second most commonly leaked information, at 42 per cent.
Identity details were released in 31 per cent of cases, health information in 27 per cent and individuals’ Tax File Numbers (TFN) in 16 per cent of cases.
Some 9 per cent of cases also saw other “sensitive” information released.
The OAIC’s full June quarter report can be accessed via its website.