Australian businesses are incorrectly relying on what they think is a loophole in notifiable data breach laws to avoid reporting ransomware infections.
The Office of the Australian Information Commissioner (OAIC) warned that “a number of entities” in the six months to June 2021 didn’t report ransomware attacks because they could not prove whether or not data was accessed or stolen.
“During this reporting period, a number of entities assessed that a ransomware attack did not constitute an eligible data breach due to a ‘lack of evidence’ that access to or exfiltration of data had occurred,” the office said in its twice-yearly report. [pdf]
The OAIC clarified this isn’t a loophole in the existing laws as much as an incorrect reading of those laws.
“An assessment of a suspected data breach under section 26WH of the Privacy Act is required if there are reasonable grounds to suspect that there may have been an eligible data breach, even if there are insufficient reasonable grounds to believe that an eligible data breach has occurred,” the OAIC said.
“It is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred.
“Where an entity cannot confirm whether a malicious actor has accessed, viewed or exfiltrated data stored within the compromised network, there will generally be reasonable grounds to believe that an eligible data breach may have occurred and an assessment under section 26WH will be required.”
It isn’t clear just how many entities tried to avoid reporting ransomware encounters in the period, however it was enough for the OAIC to sound a specific warning over the behaviour.
The OAIC also provided specific guidance around “impersonation fraud” and the extent to which incidents should be reported.
“Impersonation fraud involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location,” the office said.
“The OAIC has been advised of data breaches resulting from a malicious actor calling a service provider’s customer helpline or contact centre, impersonating a customer, and passing the organisation’s verification processes.
“The impersonator is then able to login to online accounts, update the customer’s personal information, make fraudulent transactions, and potentially obtain additional personal information that enables them to commit further impersonation fraud.”
The OAIC said it “generally considers impersonation fraud to be an eligible data breach under the notifiable data breach scheme where the personal information the entity holds is accessed by a third party and results in a likely risk of serious harm.”
“This satisfies the test of an unauthorised disclosure, even when the malicious actor already held some of the personal information,” it said.
Elsewhere in the report, Australian government agencies reported 34 data breaches over the six months, a similar number to the 33 incidents disclosed in the last installment of the report.
Three of these were “cyber incidents” and five related to the “theft of paperwork or [a] data storage device.”
Across all industry sectors, there was one data breach that impacted more than 10 million people in the period, and a further three that affected at least 500,000 people.