OAIC Notifiable Data Breaches Report (January-June 2021)

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches Report for the period January-June 2021.

There were 446 notifications during this six month period:

• 65% were malicious or criminal attacks
• 30% were human error
• 5% were system faults.

Of the malicious or criminal attacks notifications, 43% were cyber security incidents:

• 30% was due to phishing (i.e. a communication disguised as being from a trusted sender in order to steal personal information, often by clicking on an email with a link or attachment)
• 24% were due to ransomware (i.e. a type of malicious software designed to block access to a computer system until money is paid)
• 9% was due to hacking (i.e. the gaining of unauthorised access to data in a system or computer)
• 5% was due to malware (i.e. software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system)
• 5% was due to brute-force attack (i.e. a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered)
• a further 27% also involved compromised or stolen credentials but the particular method of attack was unknown.

OAIC highlighted the risk of impersonation fraud in particular. This involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. As an example, a malicious actor calls an agency’s (or their contracted service provider’s) customer helpline or contact centre, impersonates a customer, and passes the verification processes. The impersonator is then able to login to online accounts, update the customer’s personal information, make fraudulent transactions, and potentially obtain additional personal information that enables them to commit further impersonation fraud.

To counter against this risk OAIC recommends that agencies:

• regularly review their security measures to minimise the risk of impersonation fraud
• have robust identity verification processes in place and adapting them to emerging impersonation fraud threats
• train staff in identity verification processes as well as how to report and escalate fraud
• implement multifactor authentication
• automatically notify customers when changes are made to their account or there are failed authentication attempts.

The Australian Cyber Security Centre (ACSC) has published an information page on their website entitled Phishing – scam emails.

ACSC gives the following tips to assist in identifying phishing attacks:

• The communication is unexpected or unusual.
• The communication creates a sense of urgency for you to do something e.g. to click a link or verify your personal details immediately.
• The subject line of the message does not relate to the content or language in the message itself.
• The email is sent from an email address that is different to the one you would usually expect from the person or organisation.

As noted above, human error accounted for 30% of data breach notifications to OAIC. Human error also plays a role in many cyber security incidents, such as phishing. The top causes of human error were:

• Personal information was emailed or sent to the wrong recipient (47%)
• Unintended release or publication (23%)
• Failure to use ‘bcc’ function when sending email (8%)

In its Notifiable Data Breaches, the OAIC includes recommendations about how entities can include privacy protections within their information handling practices in relation to sending emails.

In this, OAIC recommends that entities include:

• Automated warnings – this function requires the sender to confirm they entered the correct address of the email recipient before the email is sent.
• Deleting emails containing personal information – this function automatically deletes emails with attachments containing personal or sensitive information from the sender’s inbox and sent box, instead of sending the attachments in a secure document management system.
• Password protection on documents - this function allows documents containing personal or sensitive information to be encrypted or password protected to provide a further layer of protection.

Privacy Compliance Essentials

Experience shows it is important to have a privacy compliance program. A privacy compliance program can minimise the risk of breaching someone's privacy and the law, as well as minimise the effect of any such breach.

A breach of privacy can be costly. In addition to reputational risks, the Australian Information Commissioner has the power to order payment of compensation for privacy breaches under the Privacy Act 1988 (Cth). Previous orders for payment have ranged from $1,000-$3,000 for minor breaches to nearly $25,000 for serious breaches of privacy.

If you are responsible for your agency’s privacy compliance:

1. check you have a privacy compliance program in place, which includes access to regular awareness training and resources
2. implement processes to ensure your privacy policies and procedures remain up to date
3. check you have a data breach response plan in place
4. check your staff know when and how to undertake a privacy threshold assessment (PTA), so that a privacy impact assessment (PIA) can be done if required by the APP Code.