The Office of the Australian Information Commissioner established the Notifiable Data Breaches (NDB) scheme in February 2018. Over the past four years, the Scheme has given the Australian public greater visibility into how and when their data privacy has been breached. Any organisation covered by the Privacy Act 1988 must notify affected individuals when a data breach is likely to impact them, or cause serious harm.

The Notifiable Data Breaches report is published twice a year. Each time it highlights some of the leading sources of data breaches, and shines a light on emerging data security issues.

We have summarised the latest report, Notifiable Data Breaches Report: January – June 2021. This article gives our insight into the report and how to prevent becoming a statistic in its next edition.

 

Summary of the Notifiable Data Breaches Report, Jan-Jun 2021

Key observations from January to June 2021 include:

  • Notifications decreased by 16% down to 446, compared to 530 in the prior 6 months.
  • Malicious and criminal attacks dominated, making up 65% of data breaches.
  • Breaches caused by human error decreased by 34%
  • Healthcare remained the highest reporting sector, closely followed by Finance.
  • 81% of entities reported breaches within 30 days.

 

Unforced errors and the Notifiable Data Breaches Report

A tennis player can lose a point by mis-hitting an easy ball. Similarly, data breaches often result from easily preventable user behaviour. From the latest Notifiable Data Breaches report, we see that:

  • 40% of human error breaches include sending data to the wrong email address
  • 23% of reports included accidental sharing of personal information

The number of breaches caused by human error did decrease from 203 in July to December 2020, to 134 in the latest report. Regardless, there is plenty of room for improvement on education and awareness of how end-users manage information. As we can see below:

  • 91% of data breach notifications involved contact information, such as a person’s home address, phone number or email address.
  • Identity information – including date of birth, passport details and driver licence details – was exposed in 55% of data breaches.
  • Financial details – such as bank account or credit card numbers, health information, and tax file numbers – made up 43% of breaches.

These breaches usually happened due to simple mistakes. However, consequences can be as far-reaching as when information is deliberately stolen. A wallet left on the street can lead to identity theft just as much as a stolen wallet can. The same is true with information leaked online.

 

Notifiable Data Breaches reported worryingly late

Visibility is an essential aspect of a good cyber security program. A key metric for measuring visibility is Mean Time To Detect (MTTD). This metric enables organisations to measure detection time. The lower your MTTD is, the quicker you can limit any damage done by a cyber incident.

The NDB report showed that 81% of organisations identified breaches within 30 days, 19% of the remainder took longer. The length of time it took for organisations to identify the data breach varied depending on the type of breach. 80% of organisations identified malicious or criminal attacks in less than 30 days. 30% did not identify a breach caused by system fault for over a year.

 

Phishing through the Notifiable Data Breaches Report

Phishing is a method of malicious attack that aims to compromise credentials. An attacker will send targeted emails to a large group of people. The email will request information, encourage the user to visit a malicious website or open an attachment.

The OAIC received 192 notifications regarding cyber security incidents, or 43% of all notifications. Phishing emails fell into this category and had the most incidents, comprising 30% of notifications. 

Health service providers reported the most incidents from phishing attacks, with ten reported incidents, followed by the legal, accounting & management services industry, which reported six incidents.

Phishing attacks belong to the category covering malicious or criminal attack breaches; this category remains the leading source of breaches. The number of notifications associated with malicious or criminal attacks decreased by 5% compared to July to December 2020. Eighty per cent of organisations identified data breaches from malicious attackers or human error within 30 days of the attack occurring.

Compromised credentials made up 62% of notifications received by the OAIC. Fifty-eight of these notifications resulted from email-based phishing attempts by malicious actors to gain access to these credentials.

People are the targets at the other end of phishing emails.You must train your staff to recognise and report phishing emails. Cyber security experts can create phishing tests, which measure how many people opened the email and provided details. Cyber security experts can leverage this data to train staff on recognising such emails.

 

Credentials impacted by data breaches

The OAIC leverages the term ‘stolen credentials’ to include usernames and passwords stolen by malicious actors. Cyber criminals usually use phishing (which we addressed above), or brute force (which tests password variations to find the right one) to compromise credentials.

62% of cyber incidents reported included breaches where malicious actors leveraged stolen credentials to access accounts. The top three types of personal information involved in data breaches were contact information (407 notifications), identity information (247 notifications) and financial details (193 notifications).

Malicious actors often leverage impersonation fraud to access accounts, networks, systems, or even a physical location. Businesses can reduce the risk of impersonation fraud with appropriate identity verification processes. 

The NDB considers impersonation fraud an eligible data breach. You can reduce the risk of impersonation fraud by:

  • Educating staff on identity verification and implementing measures such as multi-factor authentication.
  • Providing training on recognising fraud and flagging it.
  • Alerting customers to changes to their accounts and monitoring failed log-in attempts.

Lost and stolen credentials landed in the top three cyber security incidents. Of the 192 incidents reported in this category, lost and stolen credentials comprised 27% of this number. Brute force attacks, which also aim to compromise credentials, made up 5% of the 192 incidents.

Similarly to phishing attacks, health service providers filed the most reports on lost or stolen credentials.

 

Notifiable Data Breaches Report demands a look at ransomware

Ransomware denies organisations access to files or devices until the company pays the attacker for access. Yet 17.5% of companies that pay the ransom never regain access to their data.

The number of ransomware incidents in this reporting period increased by 24% compared to the previous reporting period. Ransomware attacks also accounted for 24% of cyber security incident notifications.

From January to June 2021, many businesses avoided reporting ransomware attacks to the NDB scheme, citing a ‘lack of evidence’ that a breach had occurred. But this approach is not consistent with the Privacy Act. The OAIC requires businesses to conduct an assessment if there are ‘reasonable grounds to suspect that there may have been an eligible data breach’. The OAIC requires you to assess, ‘even if there are insufficient reasonable grounds to believe that an eligible data breach has occurred’.

Paying a ransom can also make your business a target for a second ransomware attack. Rather than paying the ransom, you can take reasonable steps to prevent ransomware attacks. The OAIC also expects businesses to implement internal systems and practices to prevent the attacks and conduct thorough assessments if a business suspects an attack. These include:

  • Performing backups and testing data integrity.
  • Developing an incident response plan.
  • Keeping access and audit logs.
  • Engaging cyber security experts to examine systems if the company expects an attack might have occurred.

The industry that reported the most ransomware attacks was healthcare, with ten notifications. Again, the legal, accounting & management services industry followed, with five notifications.

 

How you can prevent becoming a statistic

Although everyone has an important role in protecting against cyber attacks, managing cyber security risks will vary for each organisation. Some of the key steps we recommend taking to protect against cyber incidents are:

Identify and assess risks and build strong governance principles, ensuring oversight and leadership of cyber security programs. You must build the ability to identify, determine, and document the value of their critical systems, applications, and information. Ensure processes and policies are in place to protect data privacy, integrity, and availability.

Detect, prevent and protect against risks. This is the ability to proactively detect malicious traffic and activities across your organisation and provide appropriate safeguards to ensure the delivery of services. A mature detect function enables timely delivery of events and/or activities. 

In contrast, the protect function supports the ability to prevent and/or contain the impact of a potential cyber security event. For example, endpoints can pose a great risk to an organisation if left unprotected. Endpoint detection and protection systems can detect and prevent advanced threats before they cause costly problems.

Implement assurance, training and testing. The defining feature of this ability is to provide accountability and assurance to test the effectiveness of your security controls. We know that implementing controls in a layered approach is recognised as a more effective way to provide security outcomes. The downside of a layered approach is ‘technology sprawl’, and a complicated environment of cyber security controls. 

If complexity is not understood or managed, it renders security outcomes ineffective. The principle revolves around securing applications and systems, and providing people with ongoing cyber awareness training.

 

How CT helps protect your business from ending up on the Notifiable Data Breaches Report

We build systems designed to protect your critical assets. CT increases business resilience, provides real-time threat intelligence, and helps create a robust cyber security culture.

Our advisory services can help you pinpoint your risks and provide visibility of your cyber security posture. We can implement monitoring systems to notify you of potential threats and provide solutions before they cause damage to your organisation. Finally, we can provide your employees with the training they need to recognise threats, protecting themselves and the business.

Visit our Cyber Security page for more information on how we protect your business, your customers, and their data.