The number of data breach notifications has increased steadily with each month since Australia’s new mandatory disclosure laws came into effect earlier this year, according to the latest summary from the Office of the Australian Information Commissioner.
Between April and June this year there were 242 notifications, seven of which are still being investigated to determine the full impact. What is currently known is that 37% of the breaches involved the personal information of less than 10 people each, and there was only one incident involving the personal information of more than a million people.
The majority of breaches were a result of malicious or criminal attacks (59%), a mere 5% were the result of system faults, and the remaining 36% were due to human error. This is a reverse of the picture painted by the first incomplete quarterly report, in which human error outnumbered attacks.
When individual human error was the cause, most were due to unintentional mishaps involving correspondence.
|Human error type||Number of notifications|
|Unauthorised disclosure (verbal)||1|
|Unauthorised disclosure (failure to redact)||2|
|Unauthorised disclosure (unintended release or publication)||12|
|Personal information sent to wrong recipient (other)||8|
|Personal information sent to wrong recipient (mail)||10|
|Personal information sent to wrong recipient (email)||22|
|Loss of paperwork/data storage device||9|
|Failure to use BCC when sending email||7|
From the malicious and criminal attacks, the rogue employee/insider threat — while typically believed to be the greatest threat in terms of potential damage — was among the least numerous with just 7 incidents in the quarter, compared with a further 7 incidents attributed to social engineering/impersonation, 31 incidents attributed to theft of paperwork or data storage device, and 97 incidents attributed to a cyber incident.
Health service providers were responsible for the largest number of incidents, followed by the finance sector, but the report does not count breaches from public hospitals or My Health Records — the latter of which the government has insisted there has been none since scheme’s pilot began.