Take a bow, Australians: we may have had 242 breaches sent to the information commissioner this quarter, but almost nobody fell victim to ransomware attacks.
Of all the data breaches reported to the Office of the Australian Information Commissioner (OAIC) between April and June this year, only two were ransomware attacks.
However, given the MyHealth Record debate in Australia, the statistics paint a grim picture: the health sector recorded the most notifiable breaches from April to June.
The OAIC data, published today, is the first full quarter of data breach statistics since the notification regime came into force on 22 February 2018.
Breach notifications rose in each of the months covered by the report, which probably indicates rising business awareness of the legislation: there were 65 notifications in April, 87 in May, and 90 in June, a total of 242 in the quarter.
Only one reported breach affected more than a million customers. While the OAIC doesn't identify which organisations were breached, the only large-scale candidate Vulture South is aware of in those three months was the Commonwealth Bank's misplaced backup tapes, which became public in May.
At the time, we argued that the practical impact of the breach is probably limited. The tapes were supposed to be destroyed, and may have been, but even if they weren't, recovering useful data from them would be difficult.
Most of the breaches – 223 of them – affected fewer than 5,000 individuals and 93 breaches affected 10 people or fewer.
Vulture South would note that a data breach affecting a single person (51 incidents reported) is likely to be targeted at that individual, and may have a far greater affect on the victim than a mass-leak of e-mail addresses.
The health sector had 29 breaches due to “human error” and 20 due to “criminal attack,” both breach sources topping the five industry sectors reported by the OAIC.
The OAIC's analysis of data breaches by industry
This is worrying for two reasons: first, Australians are already extremely touchy about health data security in light of the MyHealth Record debate; and second, because the OAIC data could underestimate the number of breaches in the sector.
That's because public hospitals aren't covered by the scheme, and the data also excludes notifications covered by the MyHealth Record Act, as noted by analyst Justin Warren:
The top industry for notifiable data breaches was healthcare, and that *excludes* public hospitals because they're not covered by the Privacy Act. It also excludes notifications required by the #MyHealthRecord Act: https://t.co/Fv50DtBAKq— Justin Warren (@jpwarren) July 30, 2018
The government believes there have been no MyHealth Record breaches yet.
MyHealth Record rollout saga shambles on: ALP wants it put on holdREAD MORE
Most of the breaches in the health sector were attributed to human error (learn to use the bcc: field, people, and don't trust autocomplete), while the finance sector had the dubious honour of topping the list for “cyber incidents”. Out of the 14 reported breaches in the finance sector, 13 were attributed to credentials, compromised either via phishing or “method unknown,” with a single breach attributed to a successful brute-force attack against someone's credentials.
Across all industries, 59 per cent of incidents were attributed to malicious attacks; 36 per cent to human error and 5 per cent to some kind of system failure. ®