Australian govt entity hit by brute-force attack

An undisclosed Australian government entity suffered a data breach following a brute-force attack in the back half of last year, one of 33 breaches that agencies reported.

The 33 notifiable data breaches in six months put the Australian government among the top five industry sectors for reportable data breaches for the first time.

The Office of the Australian Information Commissioner (OAIC) said [pdf] that government entities subject to notifiable data breach (NDB) reporting accounted for six percent of all data breaches between July and December last year.

That equated to 33 data breaches in real terms. 

Of those 33, 29 were attributed to human error.

In 10 of the incidents, personal information was emailed to an incorrect recipient.

A further four breaches resulted from information physically mailed to someone else, and three breaches from a failure to use BCC when sending emails.

Other human error causes included redaction failures (five breaches), unintended release or publication (four breaches), loss of paperwork or data storage devices (two breaches), and unauthorised verbal disclosure (one breach).

Outside of human error, Australian government entities notified four additional data breaches, two relating to “malicious or criminal attack” and the other two attributed to “system faults”.

One of the malicious breaches was a “cyber incident” that the OAIC classified as a “brute-force attack”, which enabled an actor to compromise some form of access credentials.

The other malicious breach involved social engineering and/or impersonation.

Neither attack was described by the OAIC in its report. In addition, there was no information on what kind of “system errors” led to further data breaches within government entities.

The OAIC report also shows that government is the slowest of the top five industry sectors by data breach numbers to both identify and report a breach.

It found 61 percent of government incidents were identified within 30 days, while 58 percent were reported to the OAIC within 30 days.