OAIC Data Breach Report: January – June 2023

Key Findings in the OAIC’s Data Breach Report: January – June 2023 

Some of the most interesting findings in the OAIC’s January – June 2023 Report include: 

• Australia experienced its first data breach affecting more than 10 million individuals.  
• Human error breaches tend to be identified the fastest (typically in less than 30 days). 
• Ransomware attacks are often preceded by a successful phishing attack. 
• 7% of malicious or criminal attacks were caused by a rogue employee or insider threat.  
• Almost 20% of breaches were caused by social engineering or impersonation.  

Key Takeaways from the OAIC’s Data Breach Report: January – June 2023 

Design Your Systems for Human Error & Rogue Employees 

Human error is known to be a significant cause of data breaches globally each year. And of those human error-related data breaches – sending an email to the wrong recipient is by far the biggest issue. 

We all know how easy it is to mis-send an email. Auto-fill is sometimes not our friend, particularly if you are tired, in a hurry or working off your phone (which sometimes makes it harder to see the full recipient details). 

However, there are still lots of things organisations can do to prevent these breaches.  

Training is a key tool in the prevention of human error, but organisations should also be considering how their systems could be designed to prevent human error breaches.  This includes using classifications to remind people when emails might contain personal or sensitive information and warnings when emails are being sent out of the organisation (prompting you to double-check that they’re going to the right place). 

Source: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023

Interestingly, Australia’s human error breaches largely mimic the trends we’re seeing globally. This shows that organisations can (and should) be focusing efforts and resources on preventing or reducing these types of errors: 

Showing the % of breaches caused by human error 

One Example: Reducing BCC-Related Data Breaches 

The “Blind Copy” (BCC) field is often used in emails being sent to a group (e.g. all customers) to hide individual email addresses from other recipients. 

The UK’s ICO published guidance about BCC Best Practices to avoid data breaches. Their guidance noted that organisations should be conducting assessments to determine whether the BCC function is a strong enough protection to guard against the risk of a privacy breach.  

“While BCC can be a useful function, it’s not enough on its own to properly protect people’s personal information. We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.” – Mihaela Jembei, ICO Director of Regulatory Cyber. 

The guidance notes that organisations should consider how sensitive the information they’re sharing is alongside any other relevant details that may allow individuals to infer information. The guidance highlights several scenarios where healthcare providers accidentally used the ‘To’ or ‘CC’ function (instead of BCC) and disclosed the email addresses of other patents. This allows others to infer sensitive information about the individuals.  

Source: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/  

Your Data Breach Investigation & Assessment Must Be Flexible 

The OAIC highlighted that 26% of entities took longer than 30 days to notify it of a data breach. It noted that the delay was, in some cases, the result of an inflexible and/or sequential data breach investigation plan.  

It supplied two examples of these inflexible data breach investigation methods:  

1. Entities complete a forensic investigation before assessing whether there are reasonable grounds to believe an eligible data breach occurred.  
2. Entities conduct complex technical reviews to figure out exact details (who was affected, what happened, what was breached) before notifying the OAIC, even when it is clear a notifiable breach has occurred.  

In either case, these delays pose a risk to the individuals affected by the breach.  

Organisations should ensure that their data breach response plan is sufficiently flexible that it allows for timely notifications to be made.  

Alternatively, if you rely on a sequential or fixed-method data breach response plan, your employees should receive training about data breach notifications. It is critical that they know to notify the OAIC and affected individuals at the earliest possible stage. (The plan should include reminders about this too.) 

Expect An Increase in Social Engineering and Impersonation Attacks  

Given the large number of large-scale data breaches Australia has experienced in the past year, it is likely that the information about individuals will be combined to create a more complete picture. This massively increases the risk of social engineering and impersonation attacks.  

Organisations that use personal information to identify and/or authenticate their customers’ identities should be aware of this and should implement increased protections. Some methods that may offer increased protection include customer callbacks, multi-step verification, and multi-factor authentication.  

It Might Be Time to Reconsider Your Log-In Methods 

Compromised credentials cause a significant proportion of data breaches in Australia (and globally). If you consider that many ransomware attacks are preceded by the successful compromise of credentials, the total impact increases further.  

Source: Notifiable Data Breaches Report – January – June 2023

We published an article about passkeys and how they may help organisations overcome the issues caused by passwords. We suggest reading it to learn more about how passkeys can help reduce the risk posed by compromised credentials. 

Trends in the ‘Source’ of Data Breaches 

The OAIC noted that the sources of data breaches in Australia have stayed relatively constant since the OAIC’s last notifiable data breach report for July – December 2022:  

• 70% of breaches were attributable to criminal or malicious attacks this period, which is the same as the last period.  
• 26% of breaches were caused by human error, compared to 25% in the last period.  
• 3% were system fault breaches, compared to 5% in the previous period.  

Again, organisations can use these trends to highlight or confirm their strategic priorities and resource deployment in their privacy departments over the coming months and years.  

Data Breach Management with Privacy 108 

Our data breach management services include: 

• Developing an information security incident response capability; 
• Preparing a data breach response plan; 
• Testing and training staff in your incident response; 
• Participating as legal advisers and/or privacy experts as part of your data breach/incident response team; 
• Keeping you up to date with new or changing data breach notification obligations; 
• Providing a legal opinion on your data breach notification obligations; and  
• Participating in or leading the post-incident review process. 

For help managing and securing your organisation’s data, reach out. Our privacy team would love to assist.