Attacks to fore as data breaches rise
Malicious or criminal attacks accounted for 59% of data breaches reported in the June quarter, as notifications increased under the new transparency regime.
The Office of the Australian Information Commissioner (OAIC) was alerted to 242 breaches in the first full quarter of reporting under notifiable data breach rules, which took effect on February 22. Only 63 incidents were reported in the partial first quarter.
Compromised user names and passwords were a major feature of malicious or criminal actions, while theft of paperwork or data storage devices also caused breaches. Human error caused 36% of incidents, including sending emails containing personal information to the wrong recipient, and accidentally releasing or publishing details.
Gallagher Client Manager – Professional and Financial Risks Robyn Adcock says breach reporting requirements in Australia and Europe highlight the importance of cyber-risk management.
“Conversations around cyber insurance have picked up markedly in the past 12 months following new legislation and a series of major global ransomware attacks,” he said.
“It is key that all businesses understand the cyber exposures they face and how best to mitigate against the threat of breaches that could be costly from both a financial and reputational perspective.”
Under the new Australian laws, organisations must inform affected individuals if a breach is likely to result in serious harm, and notify the commissioner.
“The OAIC continues to work with entities to ensure compliance with the scheme, offer advice and guidance in response to notifications, and consider appropriate regulatory action in cases of non-compliance,” Acting Australian Information Commissioner Angelene Falk said.
Revealed contact information represented 89% of breaches reported to the OAIC in the quarter, while financial details were involved in 42% of cases. Other failures involved identity information, health data and tax file numbers. The private health sector had the most breaches, with 49 notifications, followed by finance with 36.
Gerry Power, National Head of Sales for cyber specialist underwriting agency Emergence Insurance, says employee education is important to prevent errors, while the rise in notifications shows the need for cyber cover as part of a risk management framework.
“Cyber insurance is not the first line of defence, it is designed to protect a business when its IT security, policies and procedures fail to stop an attack,” Mr Power said.