Home

Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
Auditor
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:

News

Home / News
/
AUSTRALIAN SUPERVISORY AUTHORITY: Human factor dominates latest data breach statistics

AUSTRALIAN SUPERVISORY AUTHORITY: Human factor dominates latest data breach statistics

Data breaches attributed to human error continue to increase according to the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches Report.

The OAIC received 539 data breach notifications from July to December 2020, an increase of 5% on the previous six months (512).

Australian Information Commissioner and Privacy Commissioner Angelene Falk said 38% of all data breaches notified during the period were attributed to human error.

“In the past six months, we saw an increase in human error breaches both in terms of the total number of notifications received – up 18% to 204 – and proportionally – up from 34% to 38%,” Commissioner Falk said.

“The human factor is also a dominant theme in many malicious or criminal attacks, which remain the leading source of breaches notified to my office.

“Organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising training staff on secure information handling practices.”

Malicious or criminal attack accounted for 310 notifications during the period (58%) and system fault was responsible for 25 notifications (5%).

Health service providers again notified the most data breaches (23%) of any industry sector, followed by finance, which notified 15% of all breaches.

For the first time, the Australian Government entered the top 5 industry sectors by notifications, accounting for 6% of all breaches, with human error the leading cause.

“Ensuring the security of personal information is an area of regulatory focus for the OAIC, particularly in the health and finance industries, which have consistently been the top two sectors to report breaches,” Commissioner Falk said.

The OAIC is also calling for entities to have effective systems in place for responding to data breaches.

“Being prepared for a data breach is important for all entities that handle personal information,” Commissioner Falk said.

“Entities must have effective systems for detecting, containing, assessing, notifying and reviewing data breaches.

“Critically, they need to provide individuals with clear and timely information about data breaches, including recommendations on steps they can take to protect themselves from harm. Any unnecessary delay in providing this information undermines the purpose of the Notifiable Data Breaches scheme.”

Commissioner Falk said entities should use the information and guidance provided in the report to help review their processes and ensure they are fit for purpose.

“We are nearing three years of operation of the Notifiable Data Breaches scheme and expect that entities have systems in place to report breaches in line with legislative requirements,” she said.

“We also expect organisations to have improved the security of personal information they hold to prevent breaches.

“We will continue to closely monitor compliance with the scheme and prioritise regulatory action where there are significant failings.”

Notifiable-Data-Breaches-Report-July-Dec-2020

About this report

The Office of the Australian Information Commissioner (OAIC) periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to assist entities and the public to understand the operation of the scheme. This report captures notifications made under the NDB scheme for the period from 1 July to 31 December 2020.

Where data breaches affect multiple entities, the OAIC may receive multiple notifications relating to the same breach. Notifications relating to the same incident are counted as a single notification in this report.

The source of any given breach is based on information provided by the reporting entity. Where more than one source has been identified or is possible, the dominant or most likely source has been selected. Source of breach categories are defined in the glossary at the end of this report.

As with previous reports, notifications made under the My Health Records Act 2012 are not included as they are subject to specific notification requirements set out in that Act.

NDB scheme statistics in this report are current as of 8 January 2021. However, a number of notifications included in these statistics are still under assessment and their status and categorisation are subject to change. This may affect statistics for the period July to December 2020 that are published in future reports. Similarly, there may have been adjustments to statistics in previous NDB reports because of changes to the status or categorisation of individual notifications after publication. As a result, references to statistics from before July 2020 in this report may differ from references in earlier published reports.

Executive summary

The NDB scheme was established in February 2018 to improve consumer protection and drive better security standards for protecting personal information. Under the scheme, any organisation or government agency covered by the Privacy Act 1988 must notify individuals affected and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.

The OAIC publishes twice-yearly reports on notifications received under the NDB scheme to track the leading sources of data breaches, and to highlight emerging issues and areas for ongoing attention by regulated entities.

Key findings for the July to December 2020 reporting period:

  • 539 breaches were notified under the scheme, an increase of 5% from the 512 notifications received from January to June 2020.
  • Malicious or criminal attacks (including cyber incidents) remain the leading source of data breaches, accounting for 58% of notifications.
  • Data breaches resulting from human error accounted for 38% of notifications, up 18% from 173 notifications to 204.
  • The health sector remains the highest reporting industry sector, notifying 23% of all breaches, followed by finance, which notified 15% of all breaches.
  • The Australian Government entered the top 5 industry sectors to notify data breaches for the first time, notifying 6% of all breaches.
  • 68% of data breaches affected 100 individuals or fewer.
  • 78% of entities notified the OAIC within 30 days of becoming aware of an incident that was subsequently assessed to be an eligible data breach.

SOURCE: AUTORITÀ-PER-LA-PROTEZIONE-DEI-DATI-DELL’AUSTRALIA – OAIC

Recommended to you

Advanced Research