Notifiable data breaches grew 16% in 1H20

Data breaches reported to the Office of the Australian Information Commissioner (OAIC) attributable to ransomware grew 150% during the first half of calendar 2020 to 33.

The OAIC’s latest Notifiable Data Breach scheme report found that the total number of breaches grew by 16% year-on-year but were down 3% from the previous six-month period.

The number of breaches attributed to human error grew by 7% from the prior six-month period to 176, with the proportion of breaches rising to 34% from 32% over the same period. This trend was most pronounced in May, with human error breaches accounting for 39% of all notifications.

Although this may suggest the increase was down to the struggle to implement secure working from home arrangements due to COVID-19 lockdowns, the OAIC said it was not aware of evidence to suggest that the spike was due to changes in business practices related to the pandemic.

“While no specific cause for this change has been identified, it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

The report found that malicious or criminal attacks remained the top source of breaches, accounting for 61% of all notifications.

Of these, the majority of attacks involved cybercriminals accessing accounts using compromised credentials, either through phishing (36%), brute force attacks (6%) or another method (25%).

Ransomware attacks accounted for 15% of breaches attributable to malicious actors, with the total number of attacks growing by 150% to 33%. Perhaps even more concerning is the evolution of the methods being used in these attacks, Falk said.

“We are now regularly seeing ransomware attacks that export or exfiltrate data from a network before encrypting the data on the target network. This trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks,” she said.

“It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.”

According to WatchGuard Technologies ANZ Regional Director Mark Sinclair, this is a trend that is here to stay.

“It is becoming common for malicious actors to threaten to release such data to the dark web if the ransom is not paid. Companies need to take stock of what sensitive data they possess and the implications of this data falling into the wrong hands as a result of a successful ransomware attack,” he said.

Other attack methods traced to breaches during the six-month period include hacking (13%) and malware (4%).

The healthcare sector remained the sector plagued by the largest proportion of breaches at 22%, with finance coming in second at 14% and private education in third at 8.5%.

Meanwhile, the majority (64%) of breaches during the quarter affected fewer than 100 individuals, with 46% of breaches affecting fewer than 10. But more than half of the remaining breaches affected over 1000 individuals with 30 breaches affecting more than 5000.

The majority (84%) of reported breaches involved contact information, such as an individual’s home address, phone number or email address. But over a third of data breaches contained more sensitive identity information, such as passport or driver licence numbers.

In addition, 17% of breaches involved tax file numbers; 37% involved financial details, such as bank account or credit card numbers; and 26% included health information.

“More than half of the attacks involved disclosure of more than just contact details — such as financial details, health information and identity details,” Attivo Networks ANZ Regional Director Jim Cook said.

“Of particular concern is the prevalence of social engineering and insider attacks as these will often be targeted at removing data of higher value. Many of these attacks were preventable with a combination of technology and social interventions.”

Finally, the report found that while 77% of entities reporting an attack during the quarter were able to identify a breach within 30 days of it occurring, in 47 instances it took up to a year to become aware of a breach, and in 14 cases it took more than a year.

Image credit: ©stock.adobe.com/au/James Thew