Australian businesses may have reported fewer data breaches during the first half of 2021 than in any comparable period for years, but cybersecurity experts warn companies not to interpret the figures as a victory over resourceful cybercriminals.

Just 446 data breaches were notified to the Office of the Australian Information Commissioner (OAIC) under notifiable data breach (NDB) laws between January and June, the agency’s latest statistical report has revealed – well down from the 539 notifications in the second half of 2020 and 518 notifications during the same period last year.

Malicious attacks accounted for 65 per cent of notifications – up from 57 per cent in the previous reporting period – while 30 per cent of incidents were attributable to human error.

Some 28 incidents were attributed to rogue employees or insider threats, while there were 34 reported cases where paperwork or a data storage device was stolen.

This year’s first-half decline outpaced a similar drop during the first months of the COVID-19 pandemic – but given widespread reports of surging cybercriminal activity, Australian Information Commissioner and Privacy Commissioner Angelene Falk was wary of reading the figures as a sign that businesses are winning the war on cybercrime.

Rather, she said, a 24 per cent surge in the number of ransomware incidents – from 37 in the second half of 2020 to 46 incidents this year – suggested that many cybercriminals were simply shifting tactics, to great success.

“The nature of these attacks can make it difficult for an entity to assess what data has been accessed or exfiltrated,” Falk explained, “and because of this we are concerned that some entities may not be reporting all eligible data breaches involving ransomware.”

Businesses are expected to have “appropriate internal practices, procedures and systems in place” to detect and respond to ransomware incidents, Falk said – reflecting the growing sentiment that companies and their executives should be liable for expensive cyber breaches, face stricter reporting obligations, and be barred from treating cyber insurance as a get-out-of-jail-free card.

Flying under the radar

Yet ransomware isn’t the only cybercrime trend on the OAIC’s radar: with stolen personal data flooding the darkweb in their billions, Falk said Australian companies needed to “continually review and enhance their security posture” to minimise the risk of impersonation fraud.

Easy access to personal details was giving cybercriminals enough information to efficiently impersonate victims, bypassing companies’ identity checks and conducting fraudulent activities that don’t always register as data breaches.

The OAIC was notified of 35 incidents where social engineering or impersonation was used by “malicious actors” who contacted a call centre, passed the organisation’s phone-verification processes – and was then able to log into the victim’s accounts to change their personal or payment details, or conduct fraudulent transactions.

Even though such incidents don’t involve malicious breaches using code, the OAIC considers them to be eligible data breaches and Falk said companies should notify the OAIC of any such incidents “where there is a likely risk of serious harm”.

With one breach affecting over 10 million individuals and two more affecting 1 million to 10 million people each, harm was being caused on a regular basis, noted Jim Cook, a security expert of over 20 years now serving as ANZ regional director of threat-detection provider Attivo Networks.

“Australians need to assume that their private information is ‘out there’, available for sale and that they should act accordingly when being contacted by an individual or organisation that they don’t recognise,” he said.

And while the OAIC report suggested Australian companies are getting faster at detecting breaches, the average time to detection – less than 30 days – “is still not fast enough to make a difference to the people whose data has been compromised.”

“Criminals whose goal was to extract and sell personally identifiable information will have completed their objective well within a 30-day period.”

Gary Jackson, APAC vice-president with vulnerability-scanning firm Tenable, said the newly released figures confirm the “glaring truth [that] cyberattackers are finding the holes in our current defences and profiting from them.”

“While notifications may be down, it’s essential that organisations do not let their guard down,” he continued, calling the figures “a much-needed wake-up call to Australian organisations to proactively strengthen their defences before it becomes a crisis.”