Lessons Learned from the Australia Notifiable Data Breaches Report
The Notifiable Data Breaches (NDB) scheme was established in February 2018 to improve consumer protection of personal information and enforce consistent cybersecurity standards. Under the NDB, any organisation or agency that must comply with the Australian Privacy Act is required to notify The Office of the Australian Information Commissioner (OAIC), as well as the affected individuals, if a breach occurs that may potentially cause those individuals serious harm.
If an entity suspects that an eligible data breach has occurred, they must perform an assessment to identify the cause or source of the breach, the type of personal information that was accessed or disclosed, and the number of individuals who are at risk of serious harm as a result of the breach.
The Office of the Australian Information Commissioner (OAIC) tracks those notifications received and publishes twice yearly reports to help identify any trends in data breaches and highlight emerging issues. The most recent report detailed information regarding all notifications received from 1 January 2020 to 30 June 2020. Below are some of the highlights and key findings from the report:
Number of Incidents
There was a 3% decrease in the number of data breaches reported, compared to the previous period from July to December 2019. Most data breaches affected less than 100 individuals, which was consistent with previous reporting periods.
The health sector was again the highest reporting sector, with 22% of all breaches. Healthcare has been the consistent leader since the OAIC has started tracking. Finance is the second highest reporting sector, with 14% of all breaches.
The majority of data breaches (84%) involved contact information, which includes information like an individual’s home address, phone number, or email address. Over a third of the data breaches involved identity information, that which can be used to confirm an individual’s identity, such as passport numbers, driver’s license number, or other government identifiers. 37% of the data breaches also involved financial details, such as bank account or credit card numbers, and 26% involved health information.
Causes of Incidents
Malicious or criminal attacks designed to exploit known vulnerabilities for financial gain remain the leading cause of data breaches, accounting for 61% of all notifications, and phishing continues to be the leading source of these attacks.
Although there was a slight decrease in the total number of breaches attributed to malicious or criminal attacks compared to the previous six months, there were 50 breaches resulting from social engineering or impersonation, which was an increase of 47 percent. The number of data breach notifications attributed to ransomware attacks also increased by more than 150% compared to the previous six months - from 13 to 33.
The second largest source of data breaches was human error (34% of all data breaches), accounting for 176 breaches, while system faults accounted for the remaining 25 breaches notified. Examples of human error include sending personal information to the wrong recipient via email or post, and unintended release or publication of personal information. Failure to use the “blind carbon copy” (bcc) function when sending group emails affected the largest numbers of people in this data breach category, with an average of 486 affected individuals per breach. Insecure disposal of personal information also impacted an average of 250 people per breach.
As you can see from the statistics above, whether it’s a staff member making a mistake or someone clicking on a phishing email, humans are still the weakest link. Therefore, the best way to counter these breach sources are to reinforce information security best practices and continue ongoing security awareness training.
With phishing and social engineering attacks on the rise, and with so many employees now working remotely due to COVID-19 risks, supplementing your annual security awareness training with additional training on how to identify and respond to phishing emails is now even more important. Attackers are taking advantage of new remote working procedures and capitalising on the coronavirus with targeted phishing and spear phishing campaigns. Users should be reminded not to click on links or download attachments from unknown sources, and to verify the email sender before providing any information or taking further action. Organisations may also want to proactively address phishing by sending quarterly phishing tests to help users learn to identify red flags and internally monitor if training campaigns are improving overall staff awareness and response.
Additional training and enforcement on handling of sensitive information, and procedures for storing and disposing of information will also help to reduce the chances for data loss.
Of the incidents detailed in the report where entities used email for the primary storage of personal information and the entity experienced a phishing attack, malicious actors were able to take over the compromised email account to carry out further phishing campaigns, or access and exploit personal information stored in the account. Implementing multi-factor authentication for email accounts and strict adherence to acceptable use policies for storing (or sending) sensitive data types within email applications can help prevent this type of attack.
In June 2020, the Australian Government shared that a number of agencies and organisations were being targeted by a sophisticated state-based actor. They reinforced the need for all systems to be updated with the latest versions of software and installing critical security patches for identified vulnerabilities in a timely manner. Multi-factor authentication for all public-facing systems, like email, was also a key recommendation made at that time.
Additional risk reduction can be gained by ensuring incident reporting procedures and plans are up to date, and clear guidance on how to identify and report suspicious incidents is widely disseminated. Scheduling table top exercises with core team members to walk through potential data breach scenarios or possible ransomware attacks can go a long ways to ensuring an organisation is prepared to quickly, and efficiently, respond to an incident and identify any possible gaps in communication, procedure, etc.
Unfortunately, as with previous reporting periods, in 55 of the reported cyber incidents, the entity experiencing the breach was unable to identify how the malicious actor was able to gain access to sensitive information. The ability to conduct a timely and thorough assessment of a suspected data breach can be difficult when an organisation does not have a comprehensive understanding of its own systems and environment. Notifying entities who did not have audit logging enabled on their networks or email servers/accounts also had difficulty determining whether a malicious actor who had gained unauthorised access to their network was actually able to access or export personal information, and if so, exactly what data had been compromised.
All organisations should be aware of the sensitive and personal information stored within their environment, document where this information is located, and know how it is being protected from unauthorised access, loss, modification, and/or disclosure. Without a comprehensive data security program based on clearly defined cybersecurity standards (i.e. a framework like the NIST SP 800-171) , not only will the entity struggle to meet its obligations under the NDB scheme but, if a data breach does occur, it may also be in breach of the requirements of the Australian Privacy Act.
Additional guidance from our Customer Relationship Management team below:
[Bradbury]: We continue to see more and more news articles on data breaches. A breach can be very costly, often in the millions of dollars, and it can also be time consuming to fix the issues in order for the company to resume normal business operations. There is also the public embarrassment of being in the press and the associated reputational damage. Ransomware is getting more expensive, as companies are paying to have their data unlocked, as well as paying to stop the attackers from sharing their data on the dark web for others to see.
Being proactive by training staff to recognise phishing emails, implementing multi factor authentication, and fixing known vulnerabilities before the hackers find them, costs less than the costs associated with a data breach. Organisations should also review all data being accessed and/or stored, and decide if it is necessary to store so much sensitive data, as having this data makes them a much more attractive target to hackers.