A Summary of the Notifiable Data Breaches Report Issued On 23 August 2021

Under the Notifiable Data Breaches (NDB) scheme, any organisation or Australian government agency covered by the Privacy Act 1988 (Cth)^[1](Privacy Act) must notify affected individuals and the Australian Government, Office of the Australian Information Commissioner (OAIC) when a data breach is likely to “result in serious harm to an individual whose personal information is involved.”^[2]

Twice a year the OAIC publishes a report on the notifications received under the Notification Data Breach (‘NDB’) scheme. The most recent report was released on 23 August 2021 (NDB Report), covering notifications received between 1 January and 30 June 2021 (the reporting period).

Summary of Findings

The following is a summary of the findings set out in the NDB Report:

446 notifications were received during this reporting period. This represents a 16% decrease compared to the 530 notifications received during the previous 6 months.
Top 5 industry sectors by notifications were as follows:

Industry	Number of Notifications
Health service providers	85
Finance (including superannuation)	57
Legal, accounting and management services	35
Australian Government	34
Insurance	34

Malicious or criminal attacks were the largest source of data breaches with 289 notifications, making up 65% of reported breaches. This represents a 5% decrease compared to the previous 6 months. Human error was down by 34%, accounting for 134 notifications and system faults accounted for the remaining 23 breaches notified.
Top source of malicious or criminal attacks during the reporting period involved phishing. In particular, email-based phishing was the most common method to obtain credentials. The balance sources of cyber incidents by percentage were as follows:

Cyber Incident Type	Percentage
Phishing (compromised credentials)	30%
Compromised or stolen credentials (method unknown)	27%
Ransomware	24%
Hacking	9%
Brute-force attack (compromised credentials)	5%
Malware	5%

93% of eligible data breaches affected 5,000 individuals or fewer. There was at least one breach that affected 10,000,001 or more individuals.
91% of notifications involved ‘contact information’, such as name, home address, phone number or email address information.
The time it took entities to identify a data breach varied significantly depending on the source of the breach. More than 80% of entities identified breaches caused by malicious or criminal attack or human error within 30 days of it occurring. However, for breaches resulting from a system fault, only 61% identified the incident within 30 days.
In regard to the time taken to notify the OAIC of breaches, 72% of entities notified the OAIC within 30 days of becoming aware of an incident that was deemed to be an eligible data breach. However, 6% of entities took longer than 120 days from when they became aware of an incident to notify the OAIC.

Key Takeaways

1) Rise in impersonation fraud calls for tighter security measures

Impersonation fraud involving a malicious actor gaining access to accounts, systems, networks, or locations by impersonating another individual, remains a common method of breach. Accordingly, regular revision of security measures, and adopting robust identity verification processes including multifactor authentication is highly recommended by the OAIC.^[3] Furthermore, adequate training in verification processes and notifying customers of account changes and sign-in attempts are additional methods to prevent further impersonation fraud from occurring.^[4]

2) OAIC recommendations on assessing ransomware

During this reporting period the OAIC notes a number of entities have relied upon the absence of evidence as to whether data has been accessed, viewed and/or exfiltrated, to conclusively determine that the incident is not deemed an eligible data breach. The OAIC have made clear their position that such an assessment is insufficient.^[5]

On the contrary, where an entity cannot confirm whether data has been accessed, viewed and/or exfiltrated, is generally still deemed reasonable grounds to suspect that there may have been an eligible data breach and will require an assessment under s26WH of the Privacy Act.^[6]

As ransomware attacks remain significant, the OAIC have also recommended some internal practices, procedures and systems in place to assess and respond to ransomware. These include having^[7]:

Having appropriate audit and access logs
Using a backup system that is routinely tested for data integrity
Having an appropriate incident response plan
Engaging a cyber security expert at an early stage to conduct a forensic analysis if a ransomware attack occurs.

3) Human error breaches remain a cause for concern

While human error breaches decreased this reporting period, this risk remains a major source of data breach. During this period, there were a significant number of cases where an average of 523,998 individuals were affected per breach due to unauthorised disclosure of information.^[8]

The human factor also plays an integral role in many cyber security incidents, such as email phishing. Thus in order to reduce the risk of human error, organisations need to ensure employees are given adequate training and handling controls and practices should be put in place.

If you would like to review the full Notifiable Data Breaches Report, please do so here.

Meanwhile, if you have any questions regarding the Notifiable Data Breaches scheme, please contact our dedicated team of Cyber experts who can provide advice on cyber risk management and insurance solution.

LCPA: 21/340

Marsh Pty Ltd ABN: 86 004 651 512, AFSL: 238 983.

This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors.

^[1] Entities covered under the NDB scheme generally include Australian Government agencies, businesses and non-for-profit organisations that have an annual turnover of more than AU$3million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
^[2] ss 26WE, 26WK and 26WL of the Privacy Act 1988 (Cth)
^[3] NDB Report Page 16.
^[4] NDB Report Page 16.
^[5] NDB Report Page 18.
^[6] NDB Report Page 18.
^[7] NDB Report Page 18.
^[8] NDB Report Page 19.

Marsh.com Login

A Summary of the Notifiable Data Breaches Report Issued On 23 August 2021

Summary of Findings

Key Takeaways

Related Articles