The gargantuan Marriott customer data hack that hit around 500 million people globally at the end of 2018 appears to have substantially swollen the Office of the Australian Information Commissioner’s quarterly data release after a single notification accounted for more than 10 million affected Australians.
The OAIC on Monday was forced to lift the ceiling of its regular statistical table, adding a new increment of +10 million Australian to its quarterly catalog of corporate woe that had previously topped out at 1,000, 000 to 10,000,000.
In what could be a worrying sign for the future, the OAIC hasn’t put an upper-range on its top number, confining it simply to the “10,000,001 or more” range.
The Marriott penetration incident, which targeted reservation information, actually started back in 2014 at its Starwood Hotels and Resorts network.
That network included major brands including “W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels,” the company said at the time.
Since then, the attribution finger has been pointed at Chinese intelligence as the most probable protagonist with the most to gain from such a monumental attack that hovered-up guests’ passport details, credit card numbers, mobile numbers and travel histories.
A conspicuous absence of related credit card, payment and identity fraud for financial gain was also interpreted as confirming an intelligence gathering raid as opposed to a financial fraud motivated grab.
Information security sources contacted by iTnews said they were not aware of credible alternative explanations for the leap in affected individuals in Australia, noting that international companies operating in Australia were bound by reporting and privacy laws here.
The malice economy
There was a trove of other bad news in the OAIC’s latest quarterly breach data dump that came in conjunction with a ‘year in review’ assessment after 12 months of operation of mandatory breach reporting requirements.
As a fresh data set contingent on a mandatory reporting regime for organisations suffering data breaches – albeit without naming them – most observers have expected solid continuous rises as breach reporting volumes came out of voluntary reporting.
The industrialisation of malicious exfiltration is the clear trend. For the quarter ending March 31st 2019 notifiable data breach notifications landed at 215 compared to 262 for the previous October –December 2018 quarter and 245 for the July-September 2018 quarter.
At face value those numbers are not hugely helpful in detecting trends or swings because notification volume numbers in double digits only really start below the 5000 people affected mark.
“The majority of data breaches in the period involved the personal information of 100 individuals or fewer (68 per cent of data breaches). Data breaches impacting between one and 10 individuals comprised 50 per cent of the notifications,” the OAIC said in its latest report.
But it’s the persistence of malicious or criminal attack as a source of data breach notifications that stands out at 61 percent this quarter as opposed to good old fashioned “human error” that landed at 35 percent. The quarter before it was 64 percent malicious vs 33 percent human and 57 percent malicious vs 37 percent human the quarter before that.
At a sectoral level, the top four breach reporting industries (ranked high to low) remained – as expected – health; finance; legal, accounting and management; and education.
But it in the number five reporting slot (and this is numbers of reports as opposed to numbers of people affected) the wooden spoon has been shared across retail, mining and manufacturing and personal services over the last three consecutive quarters.
Out of sight
What’s impossible to see from the OAIC statistics is how data breach numbers correlate – or don’t – with other patterns like online credit card fraud reported by banks that has been steadily rising.
With those losses now tipping $500 million-a-year, most of which is sheeted back to the same merchants roped in by mandatory reporting, areas of sectoral or systemic deficiency would be illuminating.
In the meantime, the IT security marketing juggernaut continues to make hay from anonymised regular numbers that can only increase as corporate confessionals become more routine.
That said, vendor marketing opportunities are being cruelly cut by half by the OAIC.
The watchdog said on Monday that from July this year it would trim its output from quarterly to half yearly, the same frequency used to report payment fraud numbers.