Australia vs United Kingdom: a comparison of data breach statistics

Sep 2021 | Cyber Risk

The Office of the Australian Information Commissioner (OAIC) has released a report detailing the latest data breach statistics for the January 2021 to June 2021 period, based on notifications made under the notifiable data breach scheme.

While the total number of notifications decreased in comparison to previous years, the causes and scope of those breaches and sectors affected by them remained consistent with the OAIC’s previous reports. 

To provide some perspective regarding cyber security in Australia, we have compared the Australian statistics to those reported in the United Kingdom for a similar period. 

Australian statistics 

There was a total of 446 notifications to the OAIC in the six months from January 2021 to June 2021, which is a decrease of 16% in the number of notifications from the previous six months and is an 11% decrease compared to the same period in 2020.

Causes

Malicious or criminal attacks remained the most prevalent cause, accounting for 65% of notifications. This represents a decrease of 5% since the last reporting period. Of particular significance, breaches arising from ransomware attacks increased by 24%.

Human error accounted for 30% of notifications, which is a decrease of 34% since the last reporting period. Accidentally sending personal information to the wrong recipient remained as the main form of human error, followed by unintentional release or publication of personal information (23%), and failure to use the ‘blind carbon copy’ function when sending group emails (8%).

System fault accounted for 5% of notifications, down from 9%. 

Sectors

The health sector continues to report the highest number of breaches, reporting 19% of all breaches during the reporting period. Within this sector, the primary cause of those breaches was malicious attacks. 

The top five sectors were relatively close in the number of notifications with the second most notifications being made in the finance sector (13%), followed by legal, accounting and management services (8%), the Australian Government (8%) and insurance (8%).

Scope

Of the breaches notified, 65% affected 100 people or fewer, with 26% of notifications affecting a sole person. Additionally, 17% of the notifications affected more than 1,000 people per breach. 

The types of information involved in those breaches was personal information (91%), identity information (55%) and financial details (43%).

The greatest number of notifications were made in March, being 102. There were otherwise around 60 to 80 notifications per month. 

Comparison with the United Kingdom’s statistics

Similarly to Australia, if an organisation in the United Kingdom experiences a data breach, they are required to report it to the Information Commissioner’s Office (ICO) which produces quarterly reports based on those notifications (whereas the OAIC produces bi-annual reports). 

The statistics in the ICO’s most recent report are based on notifications made between 1 April 2021 and 30 June 2021.
In summary, that report provided that:

  • there was a total of 2,552 notifications to the ICO during the reporting period, which was an increase of 5% compared to the previous quarter;
  • the most significant cause of those breaches was sending personal information to the wrong recipient (16%), followed by email phishing (11%); 
  • the top five sectors for notifications included health (24%), education and childcare (13%), retail and manufacturing (9%), local government (9%) and legal (8%); and
  • cyber security, a category that appears to be similar to the OAIC’s category of malicious or criminal attacks, accounted for 27% of breaches. Non-cyber security incidents, being system faults and human errors, accounted for the remainder of reported breaches (73%). 

The significant difference in the number of notifications is likely attributable to the difference in population between the countries. 

Interestingly, in both jurisdictions the health sector experienced the largest number of breaches. However, the primary causes of those breaches differed with the United Kingdom’s health sector’s largest number of notifications related to loss or theft of paperwork (18%), while Australia’s were caused by phishing emails and ransomware attacks (24%).

Similarly in relation to the legal sector, the United Kingdom’s reported breaches were primarily caused by sending information to the wrong recipient (25%), whereas Australia’s notifications again related to phishing emails and ransomware attacks (31%).

Conclusion 

The reports indicate that malicious or criminal cyber attacks are causing a higher percentage of breaches in Australia, while many of the United Kingdom’s breaches related to human and system errors. 

While the causes of data breaches in each jurisdiction differed, both can be addressed through education and training. 

This was outlined in a media release from the Australian Information Commissioner and Privacy Commissioner Angelene Falk. Commissioner Falk warned that as the dark web continues to grow it is the OAIC’s expectation that entities have appropriate internal practices, procedures and systems in place to assess and respond to data breaches. 

While the release focused on the increase in ransomware attacks, Commissioner Falk cautioned that human error plays a role in many cyber security incidents, and that organisations can reduce the risk of human error by educating staff about secure information handling practices. 

Cyber security awareness and training is more important than ever, with the onus being on entities to understand their obligations and take responsibility for implementing appropriate training and procedures to avoid data breaches clear. 

 

Special thanks for the contribution of Daniel Grbavac.

This article may provide CPD/CLE/CIP points through your relevant industry organisation.

The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.