Artboard 1Icons/Ionic/Social/social-pinterest

Quarterly Data Breach Report is in and again the numbers are up!

31 October 2018

#Data & Privacy

Lyn Nicholson

Published by Lyn Nicholson

Quarterly Data Breach Report is in and again the numbers are up!

On 30 October 2018, the Office of the Australian Information Commissioner (OAIC) published the third Notifiable Data Breaches Quarterly Statistics Report, which reported 245 breach notifications, up from the 242 for the June quarter. 

It is interesting that the breakdown of causes of breaches is consistent with the last Report. The causes were:

  • human error – 37 per cent (last quarter 36 per cent)
  • malicious or criminal attack  – 57 per cent (last quarter 59 per cent) 
  • system faults – six per cent (last quarter five per cent).

The Report noted that “Many cyber incidents this quarter appear to have exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords).”

The Report provided a breakdown across key industry sectors, being:

  • health service providers – 45 breaches
  • finance – 35 breaches
  • legal, accounting and management services – 34 breaches
  • education – 16 breaches
  • personal services (including employment, training and recruitment) – 13 breaches. 

This ranking is consistent with the ranking in the last quarter. 

In terms of numbers of individuals affected by breaches, the majority of reported breaches (63 per cent) involved less than 100 individuals, with 41 per cent affecting between one and 10 individuals and only two breaches affecting more than 100,00 individuals.

In a report to the Senate Estimates Committee last week, the OAIC reported that this increasing number of breaches was stretching the workload of the OAIC with no additional resources provided for the function. In addition, the Commissioner noted that more complex data breaches are being reported to the OIAC resulting in longer waits to resolve enquires. 

Further, it was noted that the OAIC had received a number of notifications that involved organisations that provided services to other businesses where the notifications to affected individuals involved multiple businesses. 

This increasing interconnectedness of relationships and service providers is a key issue that we are seeing when businesses are faced with a data breach in their supply chain and seeking to determine who has the obligation to notify and who is best placed to notify. 

We expect that this complexity will continue until businesses have fully resolved their supply chain management in relation to personal information and data breach management. Our data and privacy team can assist in preparation for, mitigation strategies and remediation of breaches.

Author: Lyn Nicholson

Lyn Nicholson, General Counsel
T: +61 2 8083 0463

Dan Pearce, Partner
T: +61 3 9321 9840

Trent Taylor, Partner
T: +61 7 3135 0668

Andrew Hynd, Partner
T: +61 7 3135 0642

The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources. 

Lyn Nicholson

Published by Lyn Nicholson

Share this