Notifiable Data Breaches: What are your reporting responsibilities?

The Notifiable Data Breaches (NDB) scheme stipulates that an organisation must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach involving personal information is likely to result in serious harm.

The OAIC has reported on notifications received under the NDB scheme from 1 Jan. 2020 to 30 June 2020. We look at the reported breaches relating to cyber incidents, which highlight the growing risks from ransomware attacks.

Cyber incidents reported

Cyber incidents were the largest source of malicious and criminal attacks during the reporting period, with the OAIC receiving 218 notifications. This represented a slight decrease compared to the previous six months, where 225 cyber incidents were reported.

Phishing, malware and ransomware, brute-force attack and compromised or stolen credentials were the main sources of the data breaches:

Cyber incident breakdown

Cyber incident breaches

Source: Office of the Australian Information Commissioner website. Licensed under a Creative Commons Attribution 3.0 Australia licence.

These attacks often involved a human factor such as manipulating someone to click on a phishing email or disclose passwords.

In a quarter of the incidents (55 notifications) it could not be determined how the malicious actor obtained the compromised credentials.

The growing threat of ransomware

The number of data breach notifications attributed to ransomware attacks increased by more than 150% compared to the previous six months – increasing from 13 to 33. This highlights the increasing threat posed by ransomware.

What is ransomware?

Ransomware is malicious software which encrypts a system’s data, making it unusable or inaccessible. A system can be infected with ransomware in various ways including:

Clicking a malicious email attachment.
Downloading fraudulent software.
Visiting a malicious webpage.

The attacker then demands a “ransom” be paid for the decryption key, which may or may not be provided after the fee is paid.

What is the public threat?

While the traditional ransomware attack involves only the encryption of data on an organisation’s system, there has been an increase in ransomware attacks that result in the copying or exfiltration of data in addition to encryption. Many of these attacks appear to be linked to a specific ransomware variant.

The exfiltration of data poses a threat to the public, as individuals’ personally identifiable information can be made available for potential exploitation.

What does this mean for businesses?

Under the NDB scheme, an organisation must notify individuals of serious data breaches involving their personal information. If data exfiltration becomes more common in ransomware attacks, businesses could be required to report data breaches even before they have evidence of the export of data.

Conclusion

Cybercrimes, and particularly ransomware, represent an increasing threat to Australian businesses and the public. Organisations need to be aware of their obligations under the Notifiable Data Breaches scheme to ensure that they comply with laws in an evolving landscape, where legislation may need to change to keep pace with the rise of new cybercrimes and ransomware variants.

Nyman Gibson Miralis provides expert advice and representation in complex investigations involving cybercrime and the corporate obligations outlined in the Notifiable Data Breaches scheme.

Contact us if you require assistance.

Dennis Miralis AutHor

Dennis Miralis is a leading Australian defence lawyer with over 20 years of experience. Dennis is a Partner at Nyman Gibson Miralis and specialises in international criminal law.