There were 964 data breaches reported to the federal regulator in the first year of mandatory reporting rules, and “malicious or criminal attacks” were behind 60% of cases, with most of the remainder caused by human error and only 5% blamed on malfunctions.
In 17% of incidents, information about more than 1000 people was nicked, and contact details were exposed 86% of the time. Dodgy emails were the most common method of attack. Successful attempts at phishing or spear-phishing (the more targeted kind) were the cause of 153 data breaches.
In 28% of incidents, the target had no idea how access credentials were obtained (possibly from a past mass data breach). While human error was blamed for 35% of reported breaches overall, it was the cause of 55% in the health sector, and 41% in the finance sector.
Most data breaches happened in the health sector, where accidents like sending information to the wrong address were more common than attacks. Next in line was finance, followed by professional services, both of which saw slightly more malicious activity than human error. System errors rarely led to data breaches anywhere.
The Office of the Australian Information Commissioner (OAIC) received a total of 1,132 notifications in the year to March 31, 2019 — a massive 712% increase on 2017, under the previous voluntary reporting system. But not all counted as “eligible data breaches” under the law; 168 either came from entities that are exempt from the Privacy Act or did not meet the legislative criteria to be reported to the regulator.
Regulator leaves naming and shaming to the media
In the first year since the Notifiable Data Breach legislation took effect, information and privacy commissioner Angelene Falk has focused on encouraging better security practices and helping organisations comply with the regulations, which cover the private and public sectors.
She says the OAIC has “examined security practices and conducted inquiries to ensure containment, rectification and future mitigation of security risks” in some cases. “There have also been times when further regulatory action has been necessary, including issuing a direction to notify under s 26WR of the Privacy Act.”
Falk notes the scheme is expected to raise consumer confidence in the security of data people have already handed over to various organisations, and help them decide whether to trust “particular entities” with their personal information in the future. But the OAIC rarely names the organisations that report data breaches.
The legislation doesn’t allow her to do much naming and shaming but the commissioner hopefully suggests journalists can contribute towards these consumer-awareness outcomes.
“While the NDB scheme does not generally permit the OAIC to publish details about which entities have reported eligible data breaches, there has been a sustained interest from the media in reporting data breaches over the year, which has meant that in many cases, entities that have experienced a data breach have been in the public eye.
“This has led to growing awareness of privacy rights and issues amongst consumers and the risks inherent in putting information online, as well as proactive measures that every person can take to protect themselves,” she says.
Falk’s office has observed some organisations improving privacy and security standards in response to the new regulations, and minimising the data they collect to reduce risk. She says the OAIC has been able to “work constructively” with organisations when they have proactively come forward to discuss data breaches, or ask whether an incident meets the reporting threshold.
The commissioner reports “some maturation has been evident” in how organisations respond to data breaches over the year.
In the second year of the mandatory data breach reporting scheme, the OAIC will have higher expectations of organisations covered by the rules, in terms of their efforts to prevent breaches.
“This means taking reasonable steps to ensure that the necessary people, processes and technology are in place to prevent and respond to breaches. We also encourage entities to move beyond compliance to effectively support consumers.
“While the law obliges entities regulated under the Privacy Act to provide transparent and useful information to consumers, it is those entities who focus on the consumer and navigate beyond compliance to support affected individuals to take steps to minimise or prevent harm in a meaningful way who will differentiate themselves and maintain trust over time.”
The commissioner reports the OAIC will take “a proportionate and evidence-based regulatory approach” going forward and use its enforcement powers if necessary.
Few consumers trust government with data
Government organisations barely rate a mention in Angelene Falk’s report on data breaches, but even so, few consumers trust government organisations with their data, according to the latest Deloitte Privacy Index.
The “big brands” in the government sector ranked eighth out of 10 sectors, based on a survey of 1000 people about how much they trust 100 well-known organisations with their privacy, conducted for the consulting firm by Roy Morgan Research.
This year’s questions focused on consumer attitudes about smartphone apps, and found trust in the brands behind them was the main factor in the decision to hand over personal information for 65% of people.
Almost half of respondents (46%) said they gave false information in apps due to privacy concerns and privacy policies were not accessible in 22% of apps produced by the “top 100 brands” surveyed. “This means that the basic transparency requirements of privacy law in Australia are not being fully met,” comments the author of the report, David Batch.
Users could partially opt out of giving personal information to 59% of the apps, but only 21% of the organisations indicated the user could delete their personal data or ask for it to be deleted.
Deloitte makes much of the fact that 89% of respondents said they had denied permissions requested by apps to access their location, photos, contacts, camera or microphone, due to privacy concerns, and 63% have chosen to delete an app rather than grant the permissions.
When there’s no good alternative, however, most people just take the plunge despite their qualms.
“This year’s findings do indicate both a growing consumer awareness of, and ability to discern, good privacy practice,” Batch said.
“Nevertheless, some brands have such great market share because they effectively monopolise the goods or services in high consumer demand in their sector. In this instance, consumers will still interact with that brand’s app regardless of their level of trust in that brand.”