11 Jun 2019

Notifiable Data Breaches: 12 months in review

Australia’s NDB (Notifiable Data Breaches) laws came into effect in late February 2018, introducing new data security standards and imposing heavy penalties for companies and individuals that fail in their duties to act and report.

A year later, it’s clear the new legislation is a win for the protection of citizens’ private information in Australia and for increasing the vigilance of those organisations entrusted with it.

Just under 1,000 (964) ‘eligible’ breaches were reported in Notifiable Data Breaches scheme’s first 12 months, a 712 percent increase compared with the final year of the voluntary scheme.

So, who got hit?

Late May 2019 was a terrible month for Australian tech unicorn Canva, after it revealed 139 million users’ private details were exposed by an unknown hacker.

However there were no breaches of this size in the 12 months to March this year.

In fact, 83 percent of breaches reported during the period affected less than 1,000 people. Around 13 percent of breaches affected between 5,001 and 10,000, with 2.2 percent of breaches impacting between 10,001 and 250,000 people.

Two breaches reported affected between 250,001 and 500,00 people, with just three impacting 1 million people or more.

Data breaches affecting larger numbers of individuals include a number of multi‐party breaches, which involve the compromise of a supplier to a number of entities. The scale of these data breaches reflects the interconnectedness of the digital ecosystem and the multiplying impact a supply chain breach can have through that ecosystem.

Top 5 reporting sectors

Healthcare was by far and away the leading source of reported data breaches in the first 12 months of the Notifiable Data Breaches scheme, accounting for 206 incidents.

Next was financial services with 134, then legal and accounting with 100.

In the Australian Information Commissioner’s annual report, they note these two sectors ranked highest due to ‘the scale of data holdings, volume of processing activities and/or sensitivity of the personal information held by those sectors, as well as those sectors’ higher preparedness to report data breaches’. Historically, each has sector also had higher obligations, including regulatory ones, which has contributed to a greater preparedness to adhere to the Notifiable Data Breaches scheme.

Education came in fourth with 75 breach notifications, and personal services rounding out fifth place with 36.

How did breaches occur?

The majority of breaches were the result of malicious or criminal attacks, accounting for 60 percent.

Phishing (compromised credentials) was the most common attack, followed by ‘compromised or stolen credentials’, ‘brute force hacking’, ’ransomware’ and then ‘malware’.  

‘Human error’ also remains a major factor too, with 35 percent of breaches occurring because of people, with that number a whopping 52 percent in the healthcare sector, and a worrying 41 percent in financial services. In both industries, a number of these breaches involved personal information being sent to the wrong person.

And in a win for the ‘machines’, just five percent of breaches were the result of system faults.

The Notifiable Data Breaches scheme has undoubtedly been a win, too, for all Australians trusting that their sensitive information has adequate protection.

As Angelene Falk, Australian Information Commissioner and Privacy Commissioner notes in her foreword to the first annual report on the scheme:

‘The requirement to notify individuals of eligible data breaches goes to the core of what should underpin
good privacy practice for any entity – transparency and accountability. Being ready to assess and, if appropriate, notify of a data breach provides an opportunity for entities to understand where privacy risks lie within their operations, to address the human and cyber elements that contribute to data breaches and to prevent or minimise harm to individuals and the community.

‘And, of course, prevention is better than cure.’

If anything, the Notifiable Data Breaches scheme is forcing organisations to take security more seriously. No longer is it a peripheral IT issue, as the consequences of a breach have not just immediate financial consequences, but also longstanding reputational ones that could ruin an organisation almost overnight, even if the death spiral takes longer to reach its inevitable end.

It’s in this context that the Notifiable Data Breaches scheme should be assessed and the growing number of reported cases should, therefore, really be seen as its growing success.

 

Brennan IT has a whole suite of both one-off engagements and managed security services that can help you organisation not only meet the Notifiable Data Breaches scheme’s requirements, but help prevent your organisation to become one of the victims, so speak to us today to find out more.

 

Top