4 March 2019

Cybersecurity: reported data breaches surge almost 700% in 2018

As we mark the one-year anniversary of the introduction of the Federal Government’s Notifiable Data Breach (NDB) scheme, the headlines focused on cybersecurity breaches seem to be coming thick and fast. The attack in early February 2019 on the Australian Federal Parliament’s computer network, has been identified by Prime Minister Scott Morrison as the work of a “sophisticated state actor”.  It is believed a more recent attempt to hack Toyota Australia, discovered on 19 February, failed to access any sensitive information but some of the car maker’s internal systems were still down as the month drew to a close.  The hackers that paralysed the Melbourne Catholic Archdiocese’s internal IT systems late last year seem to be common or garden criminals looking to extort a ransom.

The introduction of the NDB scheme is a Cybersecurity development we, at FIRST Advisers have been monitoring closely. We have presented on the subject at AIRA; contributed to ASX panel discussions; written articles for the Listed@ASX magazine and surveyed ASX 300 companies to assess their readiness for mandatory data breach reporting. 

The NDB scheme requires every private and public company with annual turnover of $3 million or more, listed or not, to report cyber breaches that are likely to result in serious harm to individuals whose personal information is involved in the breach. A company must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals as soon as they become aware of a breach. The notification must include recommendations about the steps individuals should take to protect themselves. 

One year on, the threat of cyber-attacks is far greater than expected 

The OAIC predicted that the number of reported breaches under the mandatory scheme in 2018, would be double the 114 reported in 2017 under the previously voluntary reporting scheme. The data for 2018 shows there were a total of 812 breaches reported, up to December 31st2018, an increase of close to 700%!! And that was for less than a full 12-month period, as mandatory reporting only commenced on 22 February 2018.

The majority of data breaches to date have involved contact information (39%) or an individual’s name, email address, home address or phone number. This is distinct from ‘identity’ information (16%) which refers to such things as driver’s licence numbers and passport numbers. One in five reported breaches involved financial details such as bank account or credit card numbers and a little over one in 10 involved health information.

The majority of breaches are the result of criminal or malicious intent

In 2018, malicious or criminal attacks accounted for a significant majority of all breaches (59%) with human error a distant second (36%). Almost a quarter of all breaches involved the release of information on between 100 and 1000 people. This was closely followed by notifications relating to a single individual (23% of reported breaches) while large scale breaches (those involving information relating to groups of people greater than 100,000), were just 1% of all notifications.

Healthcare leads the Number of Breach Incidents by Industry

Since mandatory reporting was introduced on 22 February, three sectors have accounted for almost half (46%) of all breaches. Health Service providers have consistently led the pack representing 1 in 5 notifications, followed by the Finance sector on 15%. Professional services firms in the legal, accounting and management services sector, accounted for a little over 1 in 10 of all incidents.

Phishing rules in Cyberland

Within the cyber incidents reported as a malicious or criminal attack between Q2 and Q4 of 2018, the quarters for which there is complete data, phishing was the most common form of attack (41%). Phishing is the attempt to get usernames, passwords or credit card details by sending a request for information that looks like it comes from a trustworthy source.

In a quarter of criminal or malicious cyber-attacks the method used to compromise or steal credentials had not been identified while only 11% of incidents were Brute Force Attacks, where an attacker repeatedly tries various different usernames and passwords to gain unauthorised access to sensitive information.

So are there more attacks or more awareness

The (NDB) scheme sets the threshold for reporting a cybersecurity breach as the likelihood of a breach causing harm. This threshold places Australia ahead of most other countries in terms of recording cyber-attacks and by making reporting mandatory within a 72-hour window of a company becoming aware of an attack. As a result the NDA scheme removes the need for a company to make a judgement about how material a breach is.

Any data breach that ‘is likely to result in serious harm’ must be reported and this includes when a device containing customers’ personal information is lost or stolen; a database containing personal information is hacked or when personal information is mistakenly provided to the wrong person through human error.

While the statistics from 2018 undoubtedly show a startling increase in reporting of data breaches, it is not clear if this is the result of the NDA scheme shining a brighter light on an existing problem or that there has been an actual step change in the number of cyber-attacks. It is likely to be blend of both.

What is clear is cyber-attacks are a real risk to every company’s operations and reputation. Putting in place and testing a cyber-incident response plan, built on the advice of consultants, such as FIRST Advisers, who have developed a deep understanding of the issues, and incorporating a well thought out communication strategy has never been more important.

30 April 2018

Mandatory Reporting of Data Breaches in Australia is Off and Running

Victoria Geddes, Executive Director, Writing for the Autumn 2018 Issue of Listed@ASX On February 22, 2018 the Federal Government’s new Scheme for the mandatory reporting of cybersecurity breaches that result in the loss of personal data came into effect. Every private and public company with annual turnover of $3 million or more, listed or not, is […]

Read More
5 April 2018

Short Attacks: Is Glaucus an Aberration or the new Normal?

VICTORIA GEDDES, EXECUTIVE DIRECTOR Two years ago we wrote an article on a well-established activist strategy in the US called the “short attack”. In Australia we are very familiar with short selling as a legitimate tactic to deliver portfolio performance but short or bear attacks are something else altogether. Equity markets and investors received their […]

Read More
8 December 2017

FIRST Advisers at AIRA 2017 Annual Conference & Best Practice Investor Relations Awards

FIRST Advisers was an event sponsor at the AIRA 2017 Annual Conference and Best Practice IR Awards held in Sydney in late November. FIRST Advisers contribution included moderating a Crisis management panel discussion on managing breaches to cybersecurity and sponsoring the Award for Best Investor Relations by a Company in the ASX “Mid-cap 100”. Opening […]

Read More