What you need to know about Australia’s Notifiable Data Breaches

On 22 February, 2018, Australia’s Notifiable Data Breaches (NDB) scheme dropped, compelling organisations to report to the Office of the Australian Information Commissioner whenever a data breach occurs.

Among other implications, this means the scheme can now provide data into exactly how many significant data breaches occur in the country. In April, the first quarterly report was released. It made for interesting reading, but given that it only covered six weeks, there weren’t many conclusions that could be drawn from it.

More recently, though, the April-June Notifiable Data Breaches report, covering a full three months, was released. There is now enough data to make some well-supported observations about how Australians’ data is being breached—and some suggestions on what to do about it.

305 notifiable data breaches and counting

The Office of the Australian Information Commissioner (OAIC) was notified of 63 data breaches between late February and the end of March. There were a further 242 in the April-June quarter. On average, the OIAC is being notified of two data breaches a day.

The health sector’s ailing data security

Who’s getting hit with all these breaches? The short answer is everyone—no one can be complacent in today’s cybercrime environment.

Here are the top five sectors for NDBs, according to the April-June report:

  • Health service providers (20 percent of all NDBs)
  • Finance (15 percent)
  • Legal, accounting, and management services (8 percent)
  • Education (8 percent)
  • Business and professional associations (6 percent)

Worryingly, the “health service provider” category doesn’t even include Australia’s 700 public hospitals. (For obscure jurisdictional reasons, hospitals are exempt from the NDB scheme). It seems Australians had good reason for their collective national freak out over the security of the My Health Record scheme.

The personal information most in danger

Across all sectors, the personal information exposed in data breaches was as follows:

  • Contact information, such as home or email addresses and phone numbers (89 percent of notifiable data breaches)
  • Financial details (42 percent)
  • Identity information, such passport or driver’s license numbers (39 percent)
  • Health information (25 percent)
  • Tax file numbers (19 percent)
  • Other sensitive information (8 percent)

Most data breaches were small—38 percent affected 10 or fewer individuals, and 61 percent affected 100 or fewer individuals. Nonetheless, anywhere up to 5.3 million Australians may have been impacted by a data breach between April and June.

The good news, at least for Australia’s IT maintenance teams, is only a small amount (5 percent) of data security lapses were a result of system faults. The majority (59 percent) were caused by malicious or criminal attack—think “phishing, malware, ransomware, brute-force attack, compromised or stolen credentials, and hacking by other means.” Good, old-fashioned human error also played a big role, accounting for 36 percent of breaches.

Here are a few key takeaways you can learn from this data:

Takeaway #1: At-risk businesses should invest appropriately in IT staff

In this day and age, there’s little excuse for not having a fully staffed security team, especially if you’re in one of the oft-hit industries listed here, yet many organisations don’t. In fact, IBRS cybersecurity adviser James Turner told Financial Review, “We have a number of large healthcare organisations listed . . . but to my knowledge, only one of them has a chief information security officer. It shows these organisations don’t have a sufficient understanding of the risks they’re dealing with.”

If the NDB data suggests your business might soon be a target, invest in your staff, so you have more people dedicated to keeping your company secure.

Takeaway #2: Users need to get with the data security program

The number of data breaches attributable to human error in this report is massive, highlighting the need for more—and better—user training. While you can never fully get rid of human error, it is possible to minimise it.

As it was put in The National Law Review’s roundup of the NDB report, “To fully protect personal information from unauthorised access, disclosure, or loss, the human element of any organisation must be addressed . . . Adequate data protection compliance will only be achieved through the implementation of clear and thorough information handling policies and through ongoing training and evaluation of staff conduct.” Businesses need to take action to put those policies in place and improve how they train their staff.

Takeaway #3: Organisations must focus on cyber hygiene

While the number of data breaches attributable to human error is high, the highest proportion of breaches remains malicious breaches. To prevent these types of attacks, you need to take a hard, close look at your organisation’s cyber hygiene and make sure all your bases are covered.

Many businesses still rely on the cyber hygiene principles of yesterday and depend on firewalls and anti-malware installed on computers. Today, though, businesses need the ability to monitor and secure all devices, from servers to printers, preferably with built-in security features. Organisations should also consider segmenting their network to make it more difficult for hackers to travel through it. With these strategies, incidents can be contained and mitigated before they turn into breaches.

The data from the latest NDB report confirms what security professionals have known for a long time: the threat of a cyber breach is real and impacts a significant amount of Australian businesses. It serves as a reminder that it’s time to get serious about cybersecurity.

Want more tips on maintaining the highest standards of data security? Check out our video series on the implications of the Notifiable Data Breach scheme, featuring some of the sharpest cybersecurity observers and practitioners around.