Human error responsible for 41% of data breaches in Australia's finance sector

Privacy Awareness Week is being marked around Australia from 12 to 18 May 2019, shining a spotlight on personal information and how to protect it. On occasion of the event, the Office of the Australian Information Commissioner (OAIC) released its Notifiable Data Breaches Scheme 12-month Insights Report.

The NDB scheme made it a legal requirement for entities to carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold.

According to the OAIC's findings there were 964 data breach notifications from 1 April 2018 to 31 March 2019, equal to a 712 per cent rise on the previous year.

Overall, 60 per cent of these breaches were due to malicious or criminal attacks, while 5 per cent were related to a system fault. Over a third of the reported breaches, or 35 per cent, involved human error such as through unintended disclosure of personal information or the loss of a data storage device. 

In the finance sector alone, human error accounted for 41 per cent of data breaches, higher than the cross‑sectoral average. 

OAIC noted that finance has long been a target of cybercriminals given the financial rewards possible, and attacks on the industry have been observed to have risen in recent years. Accordingly, a high proportion of finance sector breaches — 56 per cent — were attributed to malicious or criminal attacks. 

Regulators such as the Australian Prudential Regulation Authority (APRA) are introducing new standards, such as Prudential Standard CPS 234 Information Security, to help ensure regulated entities in the finance sector are resilient to information security incidents, and promptly notify APRA of material information security incidents. 

Size of breaches

Most breaches notified during the period impacted a small number of individuals — 83 per cent affected fewer than 1,000 people. 

The large numbers of smaller scale breaches may reflect the prevalence of poor workplace practices by one employee, resulting in scenarios where dozens of records are breached, rather than high‑volume data loss incidents from single system compromise, the OAIC said. 

Where data breaches affected larger numbers of individuals, they were mostly multi‑party breaches which involve the compromise of a supplier to a number of entities.

OAIC judged that the scale of these data breaches reflects the interconnectedness of the digital ecosystem, and the multiplying impact a supply chain breach can have through that ecosystem.