Critical insights into Australia’s supply chain risk landscape
Australian organizations find themselves navigating a minefield of supply chain risks, with a surge in incidents stemming from multi-party breaches. These breaches are often caused by vulnerabilities in cloud or software providers and are emerging as a challenge that demands attention and proactive strategies.
From July to December 2023, 483 data breaches were reported to the Australian Information Commissioner (OAIC), up 19% from 407 between January and June of the same year. Moreover, there were 121 secondary notifications, a notable increase from 29 notifications in the same period.
The OAIC periodically publishes statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme to help businesses and individuals understand privacy risks identified through the scheme.
A slow start to the year
These figures are consistent with a trend noted by the OAIC since the NDB scheme’s inception in February 2018. More notifications are received in the second half of each year, and this recent report revealed that following a typically low number of notifications (57) in July 2023, there was a steady increase in notifications received each month, reaching a peak of 97 notifications in December.
Unsurprisingly, malicious or criminal attacks emerged as the cause of over two-thirds (67%) of data breaches. This was followed by human error with 30% and system fault with 3%. When it came to the top causes of human error breaches, in a third (33%) of cases, PI was sent to the wrong recipient email; in 20% of cases, unauthorized disclosure (unintended release or publication) was the culprit, and in 10% PI was sent to the wrong recipient via physical mail.
Industries in the crosshairs
According to the OAIC, the health and finance sectors remained the top reporters of data breaches. The healthcare sector reported 104 breaches (22% of all notifications), and finance reported 49 breaches (10%). Insurance was hot on its heels with 45 events.
All these sectors are prime targets for bad actors due to their rich data stores, which include highly sensitive information such as medical histories and financial records, making them attractive for identity theft, fraud, and extortion.
Moreover, the strict regulatory requirements regarding data protection and privacy make non-compliance costly, incentivizing attackers to exploit vulnerabilities. As critical infrastructure, disruptions in these sectors can cause widespread chaos, posing threats to public safety and the economy.
Additionally, their heavy reliance on technology exposes them to various cyber threats, given the interconnected nature of systems and the proliferation of Internet-connected devices.
Who is affected?
When it came to the number of individuals affected by data breaches, nearly two-thirds (65%) of incidents affected 100 or fewer people.
The vast majority of data breaches (91%) during this reporting period involved the personal information of 5,000 or fewer individuals globally. Incidents affecting between 1 and 10 people made up 44% of all notifications, statistics that are similar to previous reporting periods.
Regardless of the numbers, the OAIC says the safety of personal information is critical and prioritizes regulatory action that deals with areas where the risk of harm to individuals is most significant.
The OAIC has identified these instances as follows:
- Serious failures to take reasonable steps to protect personal information.
- Inappropriate data retention practices.
- Failures to comply with the reporting requirements of the NDB scheme, particularly where the OAIC has publicized risks and mitigations.
The leading causes of breaches
It’s no surprise that cyber incidents remain the leading cause of data breaches that impacted a large number of Australians. Out of the 26 breaches that affected more than 5,000 Australian citizens, the vast majority (22) were as a result of a cyber incident.
Breaking the numbers down, the top cause was compromised or stolen credentials, with nine notifications; ransomware was just behind that with eight, and hacking with four.
The OAIC said organizations must review their controls and processes continually to ensure they effectively defend and mitigate data breaches resulting from cyber incidents.
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has formulated prioritized mitigation strategies – the Strategies to Mitigate Cyber Security Incidents – to help organizations protect themselves against a range of cyber threats. According to them, the most effective of these mitigation strategies is the Essential Eight.
The information involved
Regarding the kind of personal information involved in data breaches, the report revealed that contact and identity information were the most common kinds of personal data exposed.
Most data breaches (88%) involved contact information, for instance, names, physical addresses, phone numbers, and email addresses.
This is not to be confused with identity data, which was exposed in nearly two-thirds (63%) of incidents and includes information that could help confirm a person’s identity, such as their date of birth, passport information, or other “government identifiers.”
Information about health was exposed in 41% of incidents during this timeframe, replacing financial details as the third most common kind of personal information exposed.
It is also important to note that data breaches may involve more than one type of personal information.
The clock is ticking
All security practitioners understand that promptly detecting a data breach can mean the difference between successful mitigation and catastrophe.
The more rapidly a company can contain a breach, the more its impact is limited, and the more it can reduce the time a bad actor has access to systems.
During this timeframe, 64% of breaches were identified by the business within ten days of them happening, nearly a quarter (23%) of breaches were identified more than 30 days after they occurred, and 7% took 11 – 20 days. A further 45 took between 21 and 30 days to uncover, and the timeframe was unknown in 2% of cases.
The report revealed that the time taken to identify breaches varied depending on the source of the violation in question. Where human error was the culprit, nearly three-quarters (71%) were identified within ten days, followed by malicious
or criminal attacks with 61%. System fault breaches were the last to be discovered, with only 53% being found within ten days.
Taking appropriate action
The growing number of incidents that impact multiple parties is one of the reasons the security industry is seeing data breaches increase in complexity, scope, and impact. The numbers revealed in the OAIC’s report mean that businesses in every sector need to take proactive steps to address privacy and security risks in the relationships they have with third-party service providers.
This must include having clear, concise processes and policies in place that cover how personal information is handled and stored, as well as a thorough security incident response plan that assigns roles and responsibilities for dealing with a breach and meets all regulatory reporting requirements.