Malicious or criminal attacks accounted for nearly twice as many data breaches as those resulting from human error during the first quarter of 2019, according to the Notifiable Data Breaches Quarterly Statistics Report by the Office of the Australian Information Commissioner (OAIC).
The report, published today, marks the start of Australia’s Privacy Awareness Week. “By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” said OAIC commissioner Angelene Falk, according to today’s press release.
Of the 215 data breach notifications in the first quarter of 2019, 61% were caused by malicious actors, while human error was to blame for only 35% of the total breaches. "Malicious or criminal attacks differ from human error breaches in that they are deliberately crafted to exploit known vulnerabilities for financial or other gain. Many incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on a phishing email or by using social engineering or impersonation to obtain access to personal information fraudulently," the report said.
An additional 4% were the result of some system fault, the report said. Cyber-criminals reportedly targeted contact information most frequently, followed by financial details, identity information and health information.
While the report noted that a single data breach reportedly affected more than 10 million individuals, “data breaches impacting between one and 10 individuals comprised 50 percent of the notifications."
Additionally noteworthy is that the 215 notifications shows a decline in the number of data breaches reported in previous quarters, yet 86 of the data breach reports were received in March 2019. While the second quarter of 2018 had 242 notifications, the final quarter of last year had a total of 262 notifications.
“Our report shows a clear trend towards the human factor in data breaches – so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.
“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.
“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity – transparency and accountability.”