Australian data watchdog calls for greater vigilance against cybercrime

By on 02/09/2021 | Updated on 04/02/2022
There was a 24% increase in reported ransomware attacks in the period from January to June 2021, compared to the previous six months. Photo by Sora Shimazaki via Pexels

The Australian Information Commissioner has urged public servants and other professionals who handle personal information to improve their defences against ransomware attacks and impersonation fraud.

Angelene Falk made the call as she released the latest biannual report on data breaches at public and private sector organisations that infringe people’s privacy rights and must be disclosed under the law to the Office of the Australian Information Commissioner (OAIC).

The OAIC received 446 data breach notifications in the period from January to June 2021, of which 43% were the result of cybersecurity incidents. There was a 24% increase in reported ransomware attacks in the period, compared to the previous six months.

Falk said the increase was a cause for concern, particularly due to the difficulties organisations faced in assessing whether ransomware attacks amounted to a security breach.

“We know from our work – and from the Australian Cyber Security Centre – that ransomware attacks are a significant cyber threat,” she said.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated, and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.

“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network.”

Falk said the OAIC had also been notified of a number of data breaches resulting from impersonation fraud, in which a malicious actor impersonates another individual in order to gain access to an account, system, network or physical location.

“The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls,” she said.

“We expect entities to notify us when they experience impersonation fraud, where there is a likely risk of serious harm. Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.”

Malicious or criminal attacks accounted for 65% or 289 of the 446 data breaches that took place from January to June 2021, compared to 134 resulting from human error and 23 that were due to system faults.

Overall, the number of breaches was down by 16% on the previous period, with the sharpest reduction recorded in breaches due to human error. These were down by 34%, following an 18% increase in the previous period.

However, Falk warned that human error remained a major source of data breaches and organisations needed to remain alert to it – particularly the Australian government, where 74% of breaches fell into this category.

“Let’s not forget [that] the human factor also plays a role in many cybersecurity incidents, with phishing being a good example,” she said. “Organisations can reduce the risk of human error by educating staff about secure information handling practices and putting technological controls in place.” 

About Liz Heron

Liz Heron is a journalist based in London. She worked on daily newspapers for more than 16 years as an education correspondent, section editor and general news reporter. She was Education Editor of the South China Morning Post in Hong Kong and has contributed to a wide range of British media including The Independent, The Guardian and the BBC.

Leave a Reply

Your email address will not be published. Required fields are marked *