The OAIC (Office of the Australian Information Commissioner) has released its Notifiable data breaches report for the first 6 months of 2024. This report analyses and assesses the common themes across all data breaches of which they were notified of during the period January – June 2024. 

Before we start, I will emphasise that this is not all breaches, only those which were declared to OAIC. Therefore, there is somewhat of a bias to those industries where there is a regulatory requirement to notify the OAIC of a breach. Companies in industries where there is no requirement to notify OAIC will be less likely to notify that they have suffered or experienced a breach due to the bad publicity this will lead to. 

With that disclaimer out of the way, we will go through the most common breach causes which have been reported and offer suggestions on where you can focus on your efforts to help prevent you from becoming involved in the next report! 

Supply Chain Risks

Outsourcing handling of personal information to third parties is a prevalent issue.  The OAIC received 34 notifications relating to data breach incidents where more than one entity was involved. In everyday terms, this means that there were companies who were affected by a reported data breach of someone within their supply chain.

The main risks and issues to be aware of when protecting yourself against data breaches within your supply chain is to first, fully understand your supply chain. This includes understanding the suppliers of your suppliers, and which of their processes are outsourced, and to whom, where possible. This then allows you to best track these suppliers and maintain control by ensuring that your controls are then passed on through your suppliers’ agreements.

Should a breach occur, the other consideration is the time taken to be notified of the breach. Naturally, it takes time to notify all those affected, including companies who are affected by the breach, who then must determine the extent of their data which was stored by that supplier. 

Minimising risks associated with supply chain management can include enhancing supplier agreements or contracts to include:

  • Data retention and deletion responsibilities
  • Including accountabilities and responsibilities in the event of a data breach, which also includes provisions where multiple parties are affected (i.e. a supplier’s supplier)
  • Including notification of information security events or incidents with the supplier or and of their sub-contractors.
  • Ensuring that your requirements included within your supplier agreements and contracts are passed through your suppliers’ supply chains.

Keep oversight of supply chains by including data security assessments to ensure effectiveness of their controls and their compliance with security standards, contractual requirements and legal obligations.

Human Error

Human error was classified as being the cause for 30% of all reported breaches, with an additional 12% of breaches being caused by phishing. The top causes of breaches which were from human error were PII being sent to the wrong email recipient – 38%, unauthorised disclosure by unintended release or publication 24% or failure to use bcc when sending emails 10%.

While human error is always going to present one of the largest risks of data breach, you can help mitigate it, and to help protect your employees by educating them to keep security at the top of their minds when handling both company, and their own data. This can be achieved by offering training at regular intervals which helps keep their knowledge up to date with evolving threats and techniques used by attackers. 

As shown from the data on causes of human error breaches, stressing the importance of what data is being sent between people both within your business and to external parties, and prompting your employees to think what they are sending and to whom before they send it will help alleviate the common causes of breaches.

Other things which can be done to protect against human error and the use of compromised credentials is to minimise access to data and information to only those who require access to be able to carry out their duties.
Proactively monitoring access logs, user activity and user permissions will assist in detecting and identifying unauthorised access. This will also help identify any credentials which may have been compromised and the systems and data which may have been accessed.

Misconfiguring Cloud Systems

The other main item that we will cover, which was a focus from the report is the misconfiguration of cloud systems. The OAIC have seen breaches caused by gaps in organisational understanding of cloud environments which have caused private data to be made accessible to the public.

The report noted and emphasised that there is a mutual responsibility for keeping data stored in cloud environments secure. Cloud service providers will take steps to ensure their servers and software are secure, and usually obtain certifications. However, organisations often overlook their responsibility to manage and maintain appropriate levels of security within their environments.

Examples used by the OAIC, and those weaknesses that we most frequently encounter involve access controls to the privacy configuration of storage repositories being either inadvertently or accidentally made public instead of private. This then allows access by public to data stored in the repository, resulting in a data breach.

  • Implement strong access controls including MFA, IP access controls and encryption.
  • Having policies, processes and procedures to govern and assign responsibilities for creation, proper configuration and management of cloud data storage.
  • Regularly assess and review cloud configurations .
  • Conduct risk analysis and security monitoring of cloud storage environments.
Author
Brad Fabiny

DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.

Loading...