If you’ve been working in Digital Forensics or Incident Response in Australia then you should be aware of the new legislation relating to notifiable data breaches by the Office of the Australian Information Commissioner (OAIC).
In amongst the OAIC’s website, there is some very useful information for incident responders as well as companies who are unsure as to whether they need to disclose when they’ve have had a data breach. You may already work for a mature organisation that has had appropriate legal and technical council in relation to this but if it’s all new to you then I suggest now is a very good time to start reading.
The OAIC outlines a data breach as so:
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.
Personal information is information about an identified individual, or an individual who is reasonably identifiable. Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of data breaches include:
- loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
- unauthorised access to personal information by an employee
- inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
- disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
The OAIC has recently released quarterly statistics and there are some interesting points which have come out of this.
1: The highest number of individuals affected were 1,000 or fewer across 107 different breaches.
2: It would seem that healthcare organisations are still top of the list for all sorts of targetted attacks in Australia. This comes as no surprise and a statistic that is common in most developed countries.
Investment in security and infrastructure are clearly still lacking in this area since the WannaCry outbreak hit so many systems worldwide.
3: The number of breaches being reported has gradually increased since the start of 2018. Presumably, this will continue to increase.
4: The largest amount of data loss relates to contact information such as names, addresses, email addresses. This is closely followed by financial details. This reflects the businesses which are predominantly targeted (health and finance).
This is also a clear indicator that the low hanging fruit is going to be the most leveraged by attackers. It should come as no surprise that we should expect to see just as many, if not a marked increase in targetted phishing campaigns.
5: Human error still accounts for 36% of data breaches, this indicates there is still a major gap in staff awareness across all industries. Interestingly, the most accidental disclosures happened by PI being sent to the wrong email address but the largest amount of affected individuals was due to loss of paperwork or storage device.
6: 59% of breaches were due to malicious or criminal attacks. Again, this clearly shows there needs to be further investment in education and security.
The highest of these types of malicious or criminal breaches were classed as Cyber Incidents and the breakdown of this can be seen as such:
Compromised credentials being the highest at 34%
Phishing at 29%
I think we know where this is going… Investment in education, training and security.
Some final observations:
- Questions from clients and their insurers are gravitating more so than ever around what went out the barn door, rather than what led to the door being opened.
- Phishing is still a huge problem for all industries.
- Ransomware is largely going unreported. I suspect this may be due to the assumption by many IT vendors when responding is that all ransomware outbreaks are ‘smash and grab’ attempts.
- Understanding how credentials are compromised and how they are being compromised is still largely unknown in most industries.
- Reporting is on the increase, this can only be a good thing for the general populous
For further reading: