Govt reports 34 data breaches, 74% due to human error

Government remained in the top five sector to report data breaches, with 34 breaches over the last six months, according to the latest data from the Office of the Australian Information Commissioner (OAIC).

While the Privacy Act covers most Australian Government agencies, it does not cover public hospitals, public schools, state, territory and local government agencies and a number of intelligence and national security agencies, OAIC noted.

From January to June 2021, the OAIC received 446 data breach notifications, with 43% of these breaches resulting from cybersecurity incidents. The health sector remains the highest reporting industry sector (with 85 notifications); followed by finance (57); legal, accounting and management services (35); government (34); and insurance (34).

While human error breaches decreased (down 34%) after a significant increase last reporting period, Australian Information Commissioner and Privacy Commissioner Angelene Falk said entities need to remain alert to this risk, particularly the Australian Government where 74% of breaches fell into this category.

“Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cybersecurity incidents, with phishing being a good example,” she said.

“Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”

Data breaches arising from ransomware incidents increased by 24%, from 37 notifications last reporting period to 46.

Commissioner Falk said the increase in ransomware incidents was cause for concern, particularly due to the difficulties in assessing breaches involving ransomware.

“We know from our work and from the Australian Cyber Security Centre that ransomware attacks are a significant cyber threat,” Commissioner Falk said.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”

The OAIC was notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location.

“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.

“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.

“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”

Image credit: ©stock.adobe.com/au/anyaberkut