User credentials compromised through phishing attacks was a key source of data breaches in the three months to September 30, according to the Office of the Australian Information Commissioner.
The OAIC today released its latest Notifiable Data Breaches (NDB) update, which revealed that “malicious or criminal attack” was the source of around 57 percent of the 245 breaches reported to it during the quarter. “Human error” was the cause of 37 per cent of breaches, and “system fault” accounted for 6 per cent
Of the 139 breaches attributed to attacks, 96 were linked to “cyber incidents”, with the remainder involving social engineering, insider threats, or theft of paperwork or storage devices.
Half of the cyber breaches involved phishing, the OAIC revealed. The next two biggest sources of breaches in the category also involved compromised credentials: 19 per cent of the “cyber incident”-linked breaches involved credentials that were stolen or compromised using some unknown means, while 12 per cent involved brute-force attacks.
Hacking was responsible for 8 per cent of the breaches in the category, as was malware, and ransomware was involved in 3 per cent.
Organisations in the legal, accounting and management services suffered the most breaches related to malicious “cyber” activity, followed by financial organisations and health service providers.
“Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day,” said Australian Information Commissioner and Privacy Commissioner Angelene Falk
“Our latest report shows 20 per cent of data breaches over the quarter occurred when personal information was sent to the wrong recipient, by email, mail, fax or other means.
“Importantly, we also need to be on the alert for suspicious emails or texts, with 20 per cent of all data breaches in the quarter attributed to phishing.”
Overall, most breaches reported to the OAIC affected between 101 and 1000 people, but one involved more than 50,000 and two involved more than 100,000.
The OAIC said that most breaches involved individuals’ contact information, though during the quarter it also received notifications of breaches involving financial details and health information.
Today’s report is the third issued as part of the mandatory notifiable data breach scheme, which came into effect earlier this year.