Gone phishing: cyber intrusions, email scams and notifiable data breaches

Malicious cyber intrusions involving phishing and compromised or stolen credentials, are leading the charge when it comes to the type of incidents being notified to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches Scheme (NDB Scheme). Email scams and related cyber intrusions have been an increasing problem for Australian businesses for some time. Now the latest OAIC statistics show the impact such incidents are having in terms of compromises to personal information triggering the notification obligations under the NDB Scheme.

The NDB Scheme, in operation since February this year, requires entities to notify the OAIC and affected individuals of breaches of personal information likely to result in serious harm to those individuals.

This week, the OAIC released its latest Notifiable Data Breaches Quarterly Statistics Report (OAIC Report) for the quarter beginning on 1 April 2018 until 30 June 2018. While this is the second such report to be issued by the OAIC, the first report only covered a 6 week period given the NDB Scheme commenced mid-quarter. This week’s report therefore gives us the first real taste, based on a full quarter’s sample size, of the type of incidents being notified.

A full copy of the OAIC Report can be found here.

The stats

The OAIC Report indicates that there were 242 data breach notifications in total for the quarter (bringing the total since 22 February 2018 to 305).

Of the 242 data breaches notified in the quarter:

• 142 (or 59%) were due to malicious or criminal attacks; and
• Of those, 97 (or 68%) were attributable to cyber incidents.

The OAIC categorises ‘cyber incidents’ as including phishing, malware, ransomware, brute-force attacks, compromised or stolen credentials and hacking by other means.

Critically, the Report indicates that the majority of cyber incidents were linked to compromised or stolen credentials of an unknown method (34%), compromise of credentials through phishing (29%) and brute-force attacks (14%).

Cyber threats on the rise

The statistics released by the OAIC should come as no surprise given previous warnings of a growing appetite for cyber crime in Australia. The Australian Cyber Security Centre (ACSC) specifically foreshadowed phishing scams and stolen credentials as growing threats in their 2017 Threat Report (see here).

The ACSC Threat Report noted that “the most commonly reported ransomware delivery method is mass-market untargeted phishing campaigns“. The ACSC also found that “large-scale, untargeted phishing campaigns are generally cheap and relatively simple to run” and “malicious emails continued to be a common vector for compromising private sector networks“.

The ACSC also flagged stolen credentials as a developing threat to Australian businesses, noting “credential-harvesting malware poses an increasing threat to Australian networks, in particular to the financial sector, by stealing credentials, such as login details, from the targeted network’s systems“.

What should I do?

The OAIC Report emphasises that many cyber incidents related to exploited vulnerabilities involving a human factor (such as clicking on a phishing email or disclosing passwords), a good reminder that people, not IT systems, are often the weakest link in cyber security.

So staff awareness and training are key.

The OAIC’s media release indicated that the data breaches being most commonly notified “can be greatly reduced by ensuring that staff responsible for handling personal information receive regular training”.

The OAIC also recommended that entities “implement strong password protection strategies, including raising staff awareness about the importance of protecting their credentials” and referred to the guide issued by the ACSC outlining mitigation strategies aimed at protecting credentials (available here).

Other steps we suggest companies look at include:

• Implement the Australian Signals Directorate’s “Essential Eight” Strategies to Mitigate Cyber Security Incidents (see here and here);
• Develop a cyber security policy for your company or, if you already have one, review and update it;
• Prepare a cyber incident response plan (including incorporating a data breach response plan – see here for the OAIC’s guide to managing data breaches, including preparing a data breach response plan); and
• Consider cyber security insurance to offset the cost of responding to cyber incidents and data breaches and potential losses that may arise.

If you require assistance in getting cyber risk ready, navigating the NDB Scheme, or find yourself unsure of how best to respond to a potential notifiable data breach, contact HWL Ebsworth to speak with our cyber team.

This article was written by Andrew Miers, Partner, Jason Symons, Partner and Julian Amato, Solicitor.