Many readers will be aware that the mandatory data breach reporting requirements in Australia have been in operation since February of 2018. In September last year Holman Webb reported on the statistics provided by the Office of the Australian Information Commissioner relating to the quarter ending July 2018.

So, how are things looking 18 months into the operation of the mandatory reporting regime?

The statistics show that:

  1. There have been over 1,270 notifications;
  2. Only 4% arise from systems errors;
  3. 36% of breaches arise from human error (including misdirected emails, wrongfully copying in people to emails, paperwork being lost, insecure disposal of personal information and loss of devices on which data is stored);
  4. 25% relate to the disclosure of information relating to one person only; and
  5. With respect to cyber incidents:
    1. 36% arise from phishing emails
    2. 29% from stolen or improperly used access details
    3. 7% from Malware
    4. 7% from Ransomware
    5. 9% for brute force attacks.

The lesson to take from the above is that your staff are still key when it comes to data security. If we broaden the definition of staff conduct to include wrongfully opening phishing emails, and allowing the release of their passwords and other access information, then the reality is that at least 50% of all breaches arise from staff conduct.

For those wanting to ascertain whether there are any trends, the raw statistics per quarter are:

Attributes and Results of Security Breaches

QT Ended Number of Notifications Human Error (%) Fault in IT Person ONLY (%) Affecting 1 person ONLY (%) Release or Access of Contact Info (%) Release or Access of Financial Info (%) Release of Access to Health Info (%)
March 2018 63 51 3 32 78 30 33
June 2018 242 36 5 21 89 42 25
September 2018 245 37 6 24 85 45 22
December 2018 262 33 3 22 85 47 27
March 2019 215 35 4 30 87 46 29
June 2019 245 34 4 25 90 42 27
TOTAL 1,272 36% 4% 25% 87% 43% 26%

Specified Human Error

QT Ended Data Emailed, Mailed, or Faxed to Wrong Recipient (#) Emails in which sender failed to use BCC (#) Loss of paperwork, insecure disposal, or loss of storage device (#)
March 2018 N/A N/A N/A
June 2018 40 7 9
September 2018 48 6 13
December 2018 38 9 12
March 2019 34 2 12
June 2019 41 5 11
TOTAL 201 29 57

Cyber Incidents

QT Ended Phishing Emails (%) Ransomware (%) Malware (%) Brute Force Attacks (%) Via or Compromised Credentials (%)
March 2018 N/A N/A N/A N/A N/A
June 2018 29 4 4 14 34
September 2018 50 3 8 12 19
December 2018 43 10 7 8 24
March 2019 20 7 13 7 40
June 2019 43.81 8.57 2.86 4.76 30.48
Average (%) 36.2% 6.5% 7% 9.2% 29.5%

Top 5 Industries Affected by Breaches (# of Notifications)

QT Ended Health Service Providers Finance Legal/Accounting and Management Education Business Professional Association
March 2018 15 10 8 6 4
June 2018 49 36 20 19 15
September 2018 45 35 34 16 13
December 2018 54 40 23 21 12
March 2019 58 58 23 19 11
June 2019 47 42 24 23 15
Total 268 190 132 104 70

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.