A single mega-breach affecting more than 10 million individuals worldwide capped off a quarter in which 245 individual data breaches were identified and reported, according to the latest statistics published by the Office of the Australian Information Commissioner (OAIC).
At least 10.6 million records were compromised overall during the second calendar quarter of this year, according to the OAIC’s latest quarterly report on the operation of the Notifiable Data Breaches (NDB) scheme.
The number of breaches was up 14 percent over the previous quarter, when just 215 breaches were reported.
Contact information was compromised in 220 (90 percent) of the breaches, while financial details were shared in 102 cases (42 percent) and health information in 67 (27 percent).
“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks and to take the necessary precautions,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk in announcing the report.
“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combatting data breaches and improving response strategies.”
With 47 breaches reported, healthcare service providers continued their ignominious run as the most frequently-breached industry sector – a title that industry has held since reporting began.
Yet finance providers were also being hit hard, with the number of breaches in that sector surging from 27 in the first quarter to 42 in the second. Education, retail, and legal and accounting firms were also hit harder during the second quarter.
Theft of credentials by phishing was most successful in the finance (9 incidents) and legal and accounting (8 incidents) industries, while ransomware attacks were reported in health, legal and accounting, and retail sectors.
Human error was a factor in 34 percent of breaches, often through careless mistakes.
For example, poor email practice was biting hard, with an average of 601 individuals affected in each of the five cases where the sender forgot to use BCC when sending an email.
An average of 9479 individuals were affected in each of the 15 cases of unauthorised disclosure of private data through unintended release or publication.
But with 151 data breaches (62 percent) attributed to malicious or criminal attacks, the outsider risk remained as dangerous as ever.
“Malicious or criminal attacks again account for the highest proportion of breach notifications in Australia,” said Sophos ANZ managing director John Donovan. “This indicates Australian organisations aren’t investing in cybersecurity from both a technology and employee education perspective.”
“By investing in these areas, organisations will be able to better block attacks and have a workforce that is attuned to cybersecurity issues”.
Some 44 percent of those breaches were attributed to credentials compromised through a phishing attack, while 30 percent occurred when credentials were compromised or stolen.
Lindsay Brown, LogMeIn vice president for Asia-Pacific and Japan, said the composition of the latest quarter’s breaches looks “eerily similar” and warned about the risk of poor credential management in what has become an all-too-common refrain.
“Naturally, humans resort to using the bare minimum required when inputting credentials, and this doesn’t change in the workplace,” Brown said. “Credentials are a core part of every employee’s daily workflow, and failing to secure them can have dire consequences.”
“Business leaders should take today as an opportunity to educate employees on the importance of these practices.”
Ransomware was involved in 13 data breaches (9 percent) while out-and-out hacking was the cause in a similar proportion.
The OAIC has changed its reporting schedule to semi-annually, so its next statistics report will be published in early 2020.