Most cyber attacks disclosed as potential data breaches by Australian companies last quarter involved compromised user credentials.
The Office of the Australian Information Commissioner released its highly-anticipated first full quarter of numbers under the notifiable data breaches (NDB) scheme in the early hours of this morning. [pdf]
The report reveals the OAIC received 242 notifications in the first full quarter of the scheme’s operation.
It previously received 63 breach notifications in the first six weeks of the scheme coming into effect.
In that first report, human error was identified as the culprit in the majority of reported cases.
However, this has fallen away substantially in the first full quarter of reported numbers, where 59 percent of notifiable breaches were the result of “malicious or criminal attacks”.
By far, the largest type of incident in this category was cyber-related, with 97 such reports, followed by “theft of paperwork or data storage device” (31 reports) and a small number of rogue employees (seven reports).
Of the 97 cyber incidents, over three-quarters “were linked to the compromise of credentials through phishing (29 percent), brute-force attacks (14 percent) or by unknown methods (34 percent)”, the OAIC said in its report.
The first full quarterly set of numbers again puts the health industry as the worst culprit for notifiable data breaches.
It had 49 notifications for the April to June quarter - averaging slightly more than the 15 the sector reported in the first six weeks’ of the NDB scheme’s operation.
The health numbers are going to be particularly well watched as privacy and data security concerns engulf the implementation of My Health Record.
Former privacy commissioner Malcolm Crompton told Guardian Australia yesterday that digital health records “will not be secure unless a widespread audit of every GP clinic in Australia is conducted.”
“It may well be military-grade [security] on the central servers of the My Health Record system [but] it’s demonstrably not military-grade for all of those 900,000 practitioners,” Crompton is reported as saying.
Of the 49 data breach notifications received from the health sector in the past quarter, 59 percent were the result of human error.
What that is varied, but the OAIC said that this “encompasses incidents in which a mistake made by a person caused the data breach, such as communications sent to the wrong recipient, insecure disposal of personal information, or loss of paperwork or a storage device.”
“Most notifications in the period from the health sector involved the personal information involving 100 individuals or fewer (69 percent of breaches),” the OAIC said.
However, it noted that “29 percent of data breaches affected more than 100 individuals.”
Malicious attacks in the sector were more likely to be the result of theft of paperwork or data storage than a cyber incident.