Data breach report reveals over 10 million people hit by one single Australian cyber attack

Representational picture Reuters

Office of the Australian Information Commissioner (OAIC) has released the quarterly data breach report, where they revealed that more than 10 million individuals, living in Australia, had their personal information compromised in one single cyber-attack incident.

This "Notifiable Data Breaches Quarterly Statistics Report" captured notifications received by the OAIC under the Notifiable Data Breaches (NDB) scheme between January 1 and March 31.

This quarterly data breach report did not provide any details on the origin of the cyber attack which affected over 10 million people. But, it showed that most numbers of affected people from a single finance-related breach was less than 500,000, while the health sector faced three heavily impacting breaches, which affected less than 5,000 individuals each.

As per the report, from October to December last year, 262 data breaches were reported under the NDB scheme, which came into effect in February 2018.

Number of data breaches reported under the NDB scheme by month — All sectors
Number of data breaches reported under the NDB scheme by month — All sectors

It also revealed that cyber criminals targeted people mostly to gain contact information. Financial details, Identity and health information, as well as TFN and other sensitive information, were also involved in these data breaches. A total of 186 breaches have affected the personal information of individuals.

It showed that among those notified breaches due to malicious or criminal attacks, 87 were labelled as "cyber incidents", such as phishing, brute-force attacks, malware or ransomware, or compromised or stolen credentials.

Kind of personal information involved in data breaches — All sectors
Kind of personal information involved in data breaches — All sectors

"Malicious or criminal attacks accounted for 131 data breaches this quarter, while human error accounted for 75 data breaches. System faults accounted for nine data breaches," the report added. "Many incidents in this quarter appear to have exploited vulnerabilities involving a human factor, such as clicking on a phishing email or by using social engineering or impersonation to obtain access to personal information fraudulently."

The report stated that the second largest source of data breaches was human error in which 23 cases were reported where the personal information of an individual was sent via email to an incorrect email address.

"Data breaches involving human error resulting in the unintended release or publication of personal information impacted the largest numbers of people (an average of 36,993 affected individuals per data breach)," report said adding that failure to use the blind carbon copy (BCC) when sending emails has impacted an average of 432 individuals per data breach.

OAIC said that for system fault included unintended disclosure of personal information on a website due to coding bugs.

The report shows that the cyberattacks affected health service providers the most. While the finance sector accounted for 27 breaches, legal, accounting, and management services had 23 NDBs.

It claimed that the human error caused the majority of data theft in the health sector, while malicious online activity was to blame for 16 of the finance sector's breaches.

However, it should be noted that from July 2019, the OAIC will report every six months on notifications received under the NDB scheme, not quarterly.