Sending emails to wrong recipients is top human error – Privacy Regulator Reports on Data Breaches

The Office of the Australian Information Commissioner (OAIC) has issued its second quarterly statistics report (the Report) for 1 April – 30 June 2018. As the number of data breaches reported increases, interesting trends have been identified. Significantly, while 59% of breaches were caused by malicious or criminal attacks, 36% of data breaches reported were due to human error. This provides a valuable lesson for organisations that preventing human error should be a key aspect of its data security strategy.

The Report

A total of 242 notifications were made under the Notifiable Data Breaches (NDB) scheme in the second quarter. The general trend of increasing reports continued with 90 reports being made in June, compared to only 55 made in March. Contact information and financial details were the most common kinds of personal information to be involved in data breaches.

The Report also identified the top five industry sectors that made the most notifications in the quarter. These were (in order) health service providers, finance, legal, accounting and management services, education, and business and professional associations. Significantly, health service providers accounted for 49 of the notifications received which equates to around 20% of notifications made. This also did not include My Health Record breaches as those are subject to a separate notification scheme.

Causes of data breaches

The causes of notifications were:

  • malicious or criminal attacks accounting for 59% of notifications;
  • human error accounting for 36% of notifications; and
  • system malfunction accounting for 5% of notifications.

The majority of malicious or criminal attacks were due to cyber incidents such as phishing, malware, ransom ware or stolen credentials. Interestingly, these often occurred due to exploitation of vulnerabilities, including human factors such as clicking on phishing emails or disclosing passwords.

Notifications that were caused by human error primarily occurred due to personal information being sent to the wrong recipient, accidental unintended release or publication, or loss of paperwork/data storage device. However, information sent to the wrong person tended to affect smaller amounts of individuals while lost data storage devices impacted significantly more individuals.

Prevention is best

The Report and the recent publicised data breaches suffered by PageUp and Svitzer demonstrate that prevention is best. While both PageUp and Svitzer were able to manage the breaches to prevent serious harm from occurring, the organisations suffered significant reputation loss and business impact. It can be difficult to prevent malicious or criminal attacks but organisations can do more to prevent the human factor which creates vulnerability to these attacks and human errors.

Some practical tips for preventing data breaches are:

  1. Train your staff – Ensuring your staff are trained on data security measures is of upmost importance for an organisation wide approach. This includes training on:
    • How to retrieve emails if they are accidentally sent to the wrong recipient or encrypting sensitive attachments in emails;
    • Identifying malicious emails which may contain cyber-attacks or malware;
    • Proper data request processes which will help employees identify when an email posing to be from another employee (often executive level) is fake; and
    • Understanding the main human errors leading to data breaches to heighten awareness and care.
  2. Tighten system processes – Organisations should be working with experts to tighten their system processes such as requiring high strength passwords, regular checking for suspicious activity and malware, and encrypting data storage devices.  
  3. Restrict data access – Often, more people than needed will have access to personal and sensitive information. Organisations should implement strict levels of access which will help minimise the chances of human error leading to data breaches.
  4. Remove unnecessary data – As organisations collect increased volumes of data, there is a need for proper deletion processes. Regular audits should be conducted to remove any data that is no longer required.

How we can help

Moores has experience working with clients to both prevent against and proactively respond to data breaches. We can provide advice to your organisation in regards to undertaking the preventative steps above.

If you would like further assistance, please do not hesitate to contact us.

Authors