Years of investment in security have failed to stem the number of data breaches affecting Australian companies, with new figures bringing to 812 the number of compromises reported since the notifiable data breaches (NDB) scheme went into effect nearly a year ago.
The latest quarterly figures from the Office of the Australian Information Commissioner (OAIC) revealed that 262 data breaches – over 87 per month, on average – were reported to the data-governance watchdog in the final calendar quarter of 2018.
The breaches involved the compromise of at least 1.63m records, up from more than 1.19m records in the first full-quarter report last July.
Contact information was breached in 223 incidents, with financial details compromised in 123 breaches – well up from the 102 breaches of financial information noted in the July report.
Identity information was compromised in 94 cases, while personally identifiable information (PII) related to some 17,746 individuals was leaked in 15 breaches attributed to unauthorised disclosure, unintended release or publication.
Human error was blamed in 33 percent of incidents while malicious or criminal attacks were found in 64 percent of all data breaches, with 114 cases attributed to a cyber incident, 25 cases due to the theft of paperwork or a data storage device, and 20 due to a rogue employee or insider threat.
The most common form of incident was phishing through which credentials were compromised, which was reported in 43 percent of cases. Compromised or stolen credentials through other methods were reported in 24 percent of cases.
“Australian organisations are struggling to see and understand the risks associated with compromised user credentials,” SailPoint chief product officer Paul Trulove said in response to the new figures.
“The report reiterates that an organisations’ users have become the easiest route into an organisation for hackers. This is a trend we do not expect will ease up, as hackers now know that users offer them the keys to the proverbial kingdom, once compromised.”
Ransomware attacks were noted in 10 percent of incidents, with hacking (8 percent), brute-force attacks (8 percent), and malware (7 percent) making up the balance.
As in each past report, the health sector continued to lead the ranks of breaches reported to the OAIC – accounting for 54 (20.6 percent) of the breaches, not including any compromises of the controversial My Health Record (MHR) system. The financial and superannuation industry was also widely compromised, with 40 separate attacks, while legal, accounting and management services and education organisations reported 23 and 21 incidents, respectively.
“The most secure path forward for organisations today,” said Trulove, who noted that the health sector in particular is a “gold mine of valuable personally identifiable information”, “continues to be taking a comprehensive approach to security, one that puts identity governance at the centre, ensuring visibility and governance over all users and their access to all applications and data.”
Ongoing breaches of Australian businesses are likely to spur the OAIC to action this year, with CQR Consulting chief technology officer Phil Kernick predicting that the coming year “will no doubt see an expensive enforceable judgement against at least one Australian company which finds itself in breach of the legislation.”
“If this should happen,” he continued, “there will be a scramble among businesses to adopt a heightened data security, risk and compliance culture who until now may have taken a rather laissez-faire approach to their cyber security footing.”
OAIC received just 9 reports of social engineering or impersonation – a surprisingly low number given that, according to the ACSC Threat Report 2017, Australians reported 307 business email compromise (BEC) attacks – collectively worth over $20m – to the Australian Cybercrime Online Reporting Network (ACORN) in the second quarter of 2017 alone.
This disparity suggests there may be many other latent data breaches that have yet to be reported – particularly within companies that are working hard to boost their security practices and ability to collect the necessary information if a breach is detected.
“No organisation has perfect security,” noted WatchGuard Technologies ANZ country manager Mark Sinclair, “but successful companies staying out of these quarterly OAIC NDB reports will have business continuity plans and will have put in place a well-balanced cyber security strategy that spreads funds across threat prevention, detection and response, user education, business continuity and disaster recovery.”