On February 22nd, 2018, the Office of the Australian Information Commissioner enacted its mandatory Notifiable Data Breaches scheme requiring organizations with existing obligations to secure information under the Privacy Act 1988, to report data breaches to the central authority.
Just 12 months after replacing the voluntary reporting scheme, reported data breaches had surged by 712%.
Three and a half years on, such large leaps are fortunately no longer being recorded. Mostly accredited to the timely rollout of the scheme and measures such as CPS 234. Implemented within a quarter of the breach data being reported, these measures delivered the desired impact of providing a safety net to the maturing cybersecurity operations across Australia.
The results continue to reflect in OAIC’s most recently published half-yearly report spanning January through June 2021—showing data breach notifications are down 16% from 539 in the previous half.
Key findings from the OIAC Report:
According to the report, 65% of the total breaches account for malicious or criminal attacks.
The Healthcare sector holds the spot for the most breached industry with 19% of all attacks, followed by the finance sector accounting for 13% of all breaches.
Contact information remains the most sought-after data that cyber pirates go after.
Let’s Do a Deep Dive
Interestingly, system breaches have accounted for a very small percentage of breaches reported throughout the scheme’s three-and-a-half-year tenure. The vast majority (over 90%) have been attributed to either Human Error or Malicious or Criminal Attacks.
The most commonly exposed data remains “Contact Information”, which accounts for 90% of breaches which comprises an individual’s home address, phone number or email address. This information can in some cases be sensitive on its own, however often the most unpleasant result is ending up on a spam list for unwanted calls or emails.
Of greater concern are the 55% of breaches containing “Identity Information” used to confirm an individual’s identity, such as a passport number or driver’s license number. This data can be abused for identity theft, which the Australian Institute of Criminology estimates to cost the country $3.1 Billion in its most recent report.
Financial details, such as bank account or credit card numbers, have been breached in similarly high numbers (43% of reported breaches) with another 30% relating to private health information.
The importance of adequately securing such kind of data and having sufficient governance and compliance to ensure is only growing by the day.
Fortanix’s most frequently adopted product set in the corresponding reporting period was third-party encryption control of Enterprise databases with nearly half our new customers leveraging this capability. Databases being the typical storage location for this sensitive data makes them an obvious target and as a result, the focus for Enterprise Security strategies is maturing to meet the changing landscape.
Hardware Security Modules (HSM) used to store cryptographic key materials to secure these databases have traditionally only been used in organisations with the highest sensitive data due to the high cost of ownership and complexity of operations.
However, as the threat model changes and technology evolves to suit modern systems, increasing the demand for these solutions is being pushed by mid-market companies and startups such as in FinTech, where Security is a competitive differentiator.
The biggest takeaway from the report, however, was the large reduction in Breach Notifications due to human error, down 34% from 203 to 134. The data isn’t broken out, but this aligns well with the other major shift in Enterprise IT toward automation and workflow processing. Simply put, the fewer humans involved in a process the fewer opportunities for gaps to appear in security and be exploited.
At Fortanix, we put a lot of emphasis on the consumption of our APIs for this very reason. The reduction in operational overhead is a cost saving to our customers and often helps to justify their business case, however fundamentally the improved security posture is what drives the adoption of such technologies in the first place with breaches such as those in the OIAC report being the instigating factor.
As new threats emerge and the world adapts to different ways of working, this picture will continue to evolve. Those that put encryption at the heart of their security strategy are best placed to stay ahead of the game and not end up in these statistics.