Agencies urged to educate staff more after reporting 34 data breaches

Most of the government breaches were due to human error. Photo: File.

Federal Government agencies reported 34 data breaches in the first six months of 2021, according to the latest report from the Office of the Australian Information Commissioner (OAIC).

This amounted to 7.6 per cent of the overall number of 446 breaches reported under the Notifiable Data Breaches (NDB) scheme, which requires any entity covered by the Privacy Act to notify eligible breaches to the OAIC.

The overall figure was down from the 530 listed in the previous six-monthly report.

The new report says the great majority of government data breaches resulted from human error, prompting a warning from Australian Information Commissioner and Privacy Commissioner Angelene Falk.

My Public Sector

Federal, State, Territory? Sign up for the week's best public sector news delivered straight to your inbox. See it all without a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.

While human error breaches fell after a significant increase last reporting period, Commissioner Falk said entities needed to remain alert to this risk, particularly the Federal Government, where 74 per cent of breaches fell into this category.

“Human error remains a major source of data breaches. Let’s not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example,” she said.

“Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.”

There were 25 government human error breaches, mainly personal information sent to the wrong recipient by email (8), mail (3) or other means (5).

Unauthorised disclosures accounted for eight, including unintended release or publication (3) and failure to redact (5).

There was one incidence of a loss of paperwork or data storage device.

The Federal Government is back among the top five industry sectors after first making the list in last year’s July-December report, when 33 breaches were reported, mostly due to human error.

Government breaches were the fourth highest on the list, topped by Health service providers (85), and followed by Finance, including superannuation (57), Legal, accounting and management services (35), Australian Government (34), and Insurance (3).

Overall, malicious or criminal attacks were the largest source of data breaches notified, accounting for 289 breaches, of which nine were from government. That nine included three cyber incidents, one involving impersonation and five that involved the theft of paperwork or a data storage device.

Of the three cyber incidents, three involved phishing, one compromised or stolen credentials (method unknown) and one hacking.

The Federal Government is at the bottom of the list when it comes to time taken to notify breaches, with only 35 per cent reported within 30 days of an agency becoming aware of an incident, well below other sectors.

Commissioner Falk said an increase in ransomware incidents was cause for concern, particularly due to the difficulties in assessing breaches involving ransomware.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this, we are concerned that some entities may not be reporting all eligible data breaches involving ransomware,” she said.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”

The OAIC was notified of a number of data breaches resulting from impersonation fraud, which involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location.

“The growth of data on the dark web, unfortunately, means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” Commissioner Falk said.

“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm.

“Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”

Most data breaches (91%) notified under the NDB scheme involved ‘contact information’, such as an individual’s name, home address, phone number or email address.

Identity information was exposed in 55 per cent of data breaches and included an individual’s date of birth, passport details and driver licence details.

Financial details, such as bank account and credit card numbers, were involved in 43 per cent of breaches.

The report can be found on the OAIC website.