Five key takeaways from the latest Notifiable Data Breach Scheme stats

Purple 8 Feb 2019
4 mins

An increase in malicious data attacks and more breaches than ever before – those are two of the standout aspects of a new batch of Notifiable Data Breach Scheme statistics revealed by the Office of the Australian Information Commissioner.

The stats, covering 262 data breaches from October 1 through to December 31, mark the fourth quarterly report since the introduction of the scheme in February of last year.

They highlight the ever-present prospect of malicious cyber-activity and the ubiquitous risk posed by human error.


Here are five key takeaways from the latest quarterly:

1. It was the busiest quarter ever: the 262 data breaches notified in the final three months of 2018 were 17 more than July to September and 20 more than the quarter before that.

With almost a full year of data, it also looks like the number of notifiable data breaches each quarter can be benchmarked at around 250. But it’s worth noting that before the scheme came into effect the OAIC had been expecting they might get 500 breaches a year – and there have been 517 in the past six months alone.

2. Malicious intent: the proportion of data breaches which are the result of malicious acts has been trending upwards. From 44 per cent a year ago, to 64 per cent in the last quarter, it’s now clear that malicious acts are unchallenged as our biggest source of notifiable data breaches.

The 168 malicious breach notifications in the most recent quarter were 29 more than the previous one, with specifically cyber-related incidents (117) the biggest source. Interestingly, breaches resulting from ransomware made up 10 per cent of that cyber figure (only 3 per cent in July to September), while breaches related to stolen or compromised credentials increased from 19 per cent to 24 per cent.

3. For fax sake: if you wondered whether anyone in Australia was still using fax machines, then the Notifiable Data Breach Scheme statistics say “yes”. For a second straight quarter, two breaches were registered that involved personal information being faxed to the wrong recipient.

The fax use is quirky in a digital age but really it’s yet another reminder of the role human error plays in data breaches. Human error includes everything from failing to BCC in an email, to posting snail mail to the wrong recipient, and the unauthorised verbal disclosure of personal information. It’s also far-reaching: the 15 instances of unauthorised disclosure (unintended release or publication of information on paper or online) impacted more than 266,000 people.

Additionally, phishing incidents – which are still easily the most common cyber breaches – usually involve someone clicking on a link they shouldn’t. I can’t stress enough how much data breach issues need to be looked at as a people issue rather than just the domain of IT.

4. Health, health, health and health: for a fourth straight quarter, the health sector was the biggest individual source of notifiable data breaches. Needless to say the rollout of MyHealth is going to be very interesting to watch (although notifications made under the My Health Records Act 2012 are not included in this report, as they are subject to specific notification requirements set out in that Act).

The health sector might account for the most breaches, but the loss of health information was involved in only 27 per cent of all breaches. On the other hand, personal contact information was involved in the vast majority of breaches (85 per cent) and financial information (47 per cent) was involved in nearly half.

5. Mining makes an appearance: for the first time, mining and resources were among the top-five sectors for breaches with 12 notifications. All of them were the result of malicious or criminal attacks and 11 were cyber-incidents – highlighting some of the potential challenges for a sector that is becoming increasingly automated.

In a release accompanying the publication of the statistics, Information Commissioner Angeline Falk noted it was equally important for businesses and individuals to guard against data breaches.

“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords,” Ms Falk said.

“The OAIC works with the Australian Cyber Security Centre to provide prevention strategies for organisations, including regularly resetting and not reusing passwords.

“By changing passwords, checking your credit report, and looking out for scams using your personal information, you can help minimise the harm that can result from a data breach.”

But information security expert and CEO of Perth’s Diamond Cyber Security, Sven Ross, said companies and people needed to think beyond passwords.

“The most effective strategy to protect against credential theft is not resetting passwords or preventing re-use, it is multi-factor authentication,” Mr Ross said.

“A password should be only one of the elements you submit to a system to validate and authenticate your identity.

“A stolen password is useless if it must be paired with another factor of authentication: something you know (password), something you have (one-time token/passcode), something you are (biometrics).”

A full list of NDBS quarterly reports can be found HERE.

Purple Director of Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.

You can also download our Data Breach Whitepaper