The Notifiable Data Breaches Report from the OAIC continues to underscore just how prevalent malicious or criminal attacks are when it comes to data breaches, accounting for 67% of breaches in Australia from January through June 2024. Human Error, which accounted for nearly a third (30%) is another major contributor to data breaches across the board with misdirected communications being a key factor, which accounted for 38% of the human error factor due to information being sent to the wrong recipients.ย
Based on the breakdown of cyber security incidents, phishing and ransomware accounted for nearly a third (31%) followed by both ransomware and compromised or stolen credentials, both at 24% each. Phishing, which often involves the compromise of email accounts, is one of the primary ways breaches occur. This is compounded by the fact that personally identifiable information (PII) is often shared via email and is not encrypted. Ransomware accounting for nearly a quarter of the cyber security incidents is a stark reminder that ransomware attacks continue to have a significant impact on organisations and the consequence of those attacks is the exposure of PII and other sensitive information. Compromised or stolen credentials also accounting for a quarter of cyber security incidents show that additional security mechanisms, such as multifactor authentication (MFA), may not be as prevalent as it should, as MFA would be a key mitigating factor for this category of breaches.
ย This report also reveals a worrisome trend of discovering breach incidents by affected entities. In July through December 2023, 64% of affected entities discovered a breach in 10 days or less, while it took over 30 days for 23% of affected entities to discover a breach. From June through July 2024, there was an 8% decrease, where only 56% of entities discovered a breach in 10 days or less, while it took 30% of affected entities to discover a breach in over 30 days, an increase of 7%. The longer it takes for an affected entity to discover a breach, the more valuable it is for the parties responsible for the breaches to capitalise on it, whether it is through the sale of stolen data or the ability for organisations to respond effectively to these breaches.
โWhat isnโt captured in this report is the fact that on a global scale, due to various countries and their respective data breach reporting requirements, we truly do not know the depth and breadth of breaches, as many incidents are often categorised as an unspecified cyberattack and a true root cause is never identified. It is important for more countries to adopt better data breach reporting requirements to organisations of all sizes because knowing is half the battle.โ โ Satnam Narang, sr. staff research engineer, Tenable