2 in 5 financial sector data breaches due to human error

The Office of the Australian Information Commissioner (OAIC) released its Notifiable Data Breaches Scheme 12-month Insights Report this week, which showed that the finance industry was the second-most prone to data breaches, following health.

Of the 1,132 total data breach notifications recorded between 1 April 2018 to 31 March 2019 – which represents the first 12 months of the mandatory data breach-reporting (NDB) scheme for businesses coming into effect – 138 were reported by financial services firms.  

Fifty-seven, or 41 per cent, of these breaches were attributable to human error, such as personal information being sent to the wrong recipient.

Meanwhile, 77, or 56 per cent, were due to malicious or criminal attacks, while just four, or 3 per cent, of the breaches were attributed to system faults.

“The consistent presence of the health and finance sectors at the top of the rankings throughout the year likely reflects the scale of data holdings, volume of processing activities and/or sensitivity of the personal information held by those sectors, as well as those sectors’ higher preparedness to report data breaches,” the OAIC report states.

“Both industries have also been subject to long‑standing information protection obligations (including duties of confidentiality and strict regulatory frameworks) which have likely contributed to their relative maturity and preparedness to meet obligations under the NDB scheme.”

Due to the accelerating threat of cyber attacks, the Australian Prudential Regulation Authority (APRA) created a cross-industry prudential standard, CPS 234, focused on the management of information security at regulated entities.

Coming into effect on 1 July 2019, the infosec standard requires authorised deposit-taking institutions, and other regulated entities, to:

• “clearly define” information security-related roles and responsibilities
• “maintain an information security capability commensurate with the size and extent of threats to their information assets”
• implement controls and regularly test their effectiveness to protect assets (including those managed by related and third parties) from new threats
• have “robust mechanisms” in place to detect and respond to information security breaches in a timely manner
• notify APRA of information security incidents (that had a material impact or could have an impact on the entity or the interests of depositors, policyholders, beneficiaries or other customers) within 72 hours of becoming aware of them

The standard also stipulates that company boards are “ultimately responsible for ensuring that the entity maintains its information security”.

APRA has also been updating its Prudential Practice Guide CPG 234 Management of Information and Information Technology to help entities fulfil their requirements.

Another survey of 1,000 consumers, conducted by Roy Morgan and commissioned by Deloitte, revealed that consumer trust in the privacy practices of financial institutions had fallen the steepest over the last three years.

According to Deloitte’s Privacy Index 2019, the finance sector has dropped from first place in 2016 and 2017, and second place in 2018, to ninth in 2019.

“Financial services has seen the biggest loss in trust in privacy but is still in positive territory, meaning more consumers trust than distrust financial services brands with their personal information,” the report states. 

The IT sector was considered the most trustworthy when it comes to privacy, followed by real estate, travel and transport, and energy and utilities.

On the other hand, the report ranked the finance sector as the best-performing industry on one of the criteria in the study, with 94 per cent of finance apps providing a privacy policy.

[Related: Deloitte research paints dim picture of trust in banks]