Read on for the latest on data breaches and a reminder of the privacy compliance essentials for government agencies.

OAIC Notifiable Data Breaches Report (January – June 2021)

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches Report for the period January – June 2021.

There were 446 notifications during this six month period:

• 65% were malicious or criminal attacks
• 30% were human error
• 5% were system faults.

Of the 65% which were malicious or criminal attacks notifications, 43% of these were cyber security incidents:

• 30% was due to phishing (i.e. a communication disguised as being from a trusted sender in order to steal personal information, often by clicking on an email with a link or attachment)
• 24% were due to ransomware (i.e. a type of malicious software designed to block access to a computer system until money is paid)
• 9% was due to hacking (i.e. the gaining of unauthorised access to data in a system or computer)
• 5% was due to malware (i.e. software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system)
• 5% was due to brute-force attack (i.e. a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered)
• further 27% also involved compromised or stolen credentials but the particular method of attack was unknown.

OAIC highlighted the risk of impersonation fraud in particular. This involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. As an example, a malicious actor calls a service provider’s customer helpline or contact centre, impersonates a customer, and passes the organisation’s verification processes. The impersonator is then able to login to online accounts, update the customer’s personal information, make fraudulent transactions, and potentially obtain additional personal information that enables them to commit further impersonation fraud.

To counter against this risk OAIC recommends that agencies:

• regularly review their security measures to minimise the risk of impersonation fraud
• have robust identity verification processes in place and adapting them to emerging impersonation fraud threats
• train staff in identity verification processes, as well as how to report and escalate fraud
• implement multifactor authentication
• automatically notify customers when changes are made to their account or there are failed authentication attempts

The Office of the Victorian Information Commissioner (OVIC) has published an Information Sheet on Phishing Attacks And How To Protect Against Them.

OVIC gives the following tips to assist in identifying phishing attacks:

• the communication is unexpected or creates a sense of urgency for you to do something – e.g. telling you that you have received a missed call and sending you to a website to hear it
• it asks you to click a link, open an attachment or sends you to a website which asks you to enter your information
• the link suggests that it will take you to a legitimate website but, when you hover over the link, it shows that it is actually for a different website
• it asks for information that the real sender would not necessarily need to know.

OVIC recommends that, in addition to raising awareness of this type of scam, an agency should:

• use spam filters or secure email gateways to block deceptive emails from reaching employees
• enable multifactor authentication and anomaly login policies.

As noted above, human error accounted for 30% of data breach notifications to OAIC. Human error also plays a role in many cyber security incidents, such as phishing. The top causes of human error were:

• personal information was emailed or sent to the wrong recipient (47%)
• unintended release or publication (23%)
• failure to use ‘bcc’ function when sending email (8%).

OVIC has published an Information Sheet on Tips To Reduce Data Breaches When Sending Emails. In this, OVIC recommends that agencies:

• disable Outlook’s AutoResolve function – this function recommends recipients based on the letters you type into the ‘to’, ‘CC’ and ‘BCC’ fields by searching through a list of recipients you have previously emailed but it can result in an email being sent to the wrong recipient
• double check email recipients – this includes double clicking on a recipient’s name as displayed in the ‘to’, ‘CC’ or ‘BCC’ fields so that their full email address is visible.
• set a delay rule – so that an email is not sent for between two to five minutes after you have clicked ‘send’. It is a better strategy than trying to use the ‘recall’ feature, which is usually ineffective at removing the email from the recipient’s inbox
• check email threads – read through the entire email before you click ‘send’ and consider whether any of the earlier part of the email thread should be deleted (e.g. it contains information the sender doesn’t need to know)
• use bcc when sending group emails – also implement other processes such as reviewing distribution lists regularly for accuracy and asking colleagues to review the email before sending
• use MailTips – these are messages or ‘prompts’, which appear while writing an email and can be set up to include:
  • an email being sent to an external recipient outside your organisation, a prompt that it is an external recipient
  • an email containing an attachment, a prompt to check that the correct attachment is attached
  • if emailing multiple external recipients which are included in the ‘to’ or ‘CC’ field, a prompt reminding you to use the ‘BCC’ field instead.

Privacy Compliance Essentials

Experience shows it is important to have a privacy compliance program. A privacy compliance program can minimise the risk of breaching someone's privacy and the law, as well as minimise the effect of any such breach.

A breach of privacy can be costly. In addition to reputational risks, there is a right to seek compensation of up to $100,000. As an example, compensation has been paid for the following:

• a government employee posting a person's application for employment on a personal internal blog website (demonstrating the need for privacy training)

• losing a person's identification documents provided at a job interview (demonstrating a lack of sufficiently robust procedures)

• taking photographs at a community event without giving the proper notice (demonstrating a lack of adequate procedures and training).

If you are responsible for your agency’s privacy compliance:

1. check you have a privacy compliance program in place, which includes access to regular awareness training and resources
2. implement processes to ensure your privacy policies and procedures remain up to date
3. check you have a data breach response plan in place
4. check your staff know how to undertake a Privacy Impact Assessment (PIA).