The Office of the Australian Data Information Commissioner's quarterly report has revealed that more than 10.5 million Ozzies – about 40 per cent of the lot of them – had their personal data slurped in one single incident in the first three months of 2019.
One specific incident affected "10 000 001 or more" individuals, while another single event hit between "250 000 and 500 000". At least 10.5 million all told had their data slurped. The regulator has also issued its report for the first year of notification requirements, which showed three incidents that affected more than one million people.
Over the year from April 2018, the Data Information Commissioner (DIC) found human error was responsible for 35 per cent of all breaches, 60 per cent were blamed on malicious or criminal attack and five per cent on systems failure. Figures for the quarter were very similar with 131 breaches blamed on criminal hackers, 75 on human error and nine on systems failure.
Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breachREAD MORE
The DIC added that 31 per cent of breaches were blamed on sending email to the wrong recipient, 16 per cent due to loss of paperwork or storage devices and 28 per cent blamed on accidental release or publication of data.
Of outsider incidents, 66 per cent involved cyber, 5 per cent were down to social engineering, 14 per cent theft of paperwork or storage devices and 15 per cent were blamed on insider or rogue employee actions.
Of those cyber attacks, 40 per cent were blamed on compromised or stolen credentials taken by an unknown method, 20 per cent from credentials stolen via phishing attacks, 13 per cent were caused by malware, ransomware and brute force attacks both contributed seven per cent.
Private health providers made up 27 per cent of total notified breaches and 13 per cent came from the finance sector.
Total breaches were down to 215 in the quarter from 262 in the last quarter of 2018.
The OAIC does not typically name companies which have been breached, but some observers have pointed the finger at Marriott’s mega-breach – although The Reg notes that the massive personal data dump uncovered on Mega in early January could equally be suspected.