Data-related breaches are on the rise in the Australian continent.

According to data from the Office of the Australian Information Commissioner (OAIC), which periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme, there was a 5 per cent increase in breaches. The findings were for the July to December 2020 reporting period, which saw 539 breaches, compared to 512 in the perdiod January-June. Malicious or criminal attacks (including cyber incidents) remain the leading source of data breaches, accounting for 58 per cent of the notifications.

Data breaches resulting from human error accounted for 38 per cent of notifications, up 18 per cent from 173 notifications to 204. interestingly, during the pandemic, the health sector had reported almost a quarter (23 per cent) of all breaches, followed by finance, which notified 15 per cent of all breaches.

Also, the Australian Government entered the top 5 industry sectors to notify data breaches for the first time, notifying 6 per cent of all breaches and 78 per cent of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.

Spate of incidents

Recently, the Australian Securities and Investments Commission (ASIC) reported a cyber security breach related to its use of a file sharing software.

The Australian regulator in a notification said: “This incident is related to Accellion software used by ASIC to transfer files and attachments. It involved unauthorised access to a server which contained documents associated with recent Australian credit licence applications.” Interestingly the Accellion file sharing software was recently at the centre of a similar incident at the Reserve Bank of New Zealand.

Also, there was significant variation in the number of notifications received each month of the reporting period. The OAIC received 62 notifications in November – the second lowest monthly total since the NDB scheme commenced in February 2018 – but more than 100 notifications in July, August and September.

This reporting period saw continuation of the trend towards a greater proportion of data breaches attributed to human error. Data breaches resulting from human error accounted for 38 per cent of all notifications, compared to 34 per cent the previous 6 months and 32 per cent in the same period in 2019.

Kinds of personal information involved in breaches

Most data breaches (91 per cent) notified under the NDB scheme from July to December 2020 involved ‘contact information’, such as an individual’s home address, phone number or email address. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as a passport number or driver’s licence number. Identity information was exposed in 45 per cent of data breaches notified during the period, OAIC report said.

Data breaches notified in the period also involved financial details, such as bank account or credit card numbers (40 per cent), health information (26 per cent) and tax file numbers (18 per cent). ‘Other sensitive information’ (9 per cent) refers to categories of sensitive information as set out in section 6 of the Privacy Act, other than health information as defined in section 6FA.

Recently, the SUNBURST malware attacks against SolarWinds have heightened companies’ concerns about the risk to their digital environments. Malware installed during software updates in March 2020 had allowed advanced attackers to gain unauthorized access to files that may include customer data and intellectual property.

Matt Gyde, President and CEO, Security Division at NTT Limited had recently said that threat actors have exploited disruption during the COVID-19 crisis to launch an accelerated wave of cyberattacks around the world. The SolarWinds incidents were orchestrated by sophisticated operators and exploit the broad distribution of commonly-used software packages, he said.