Data breaches in the financial sector

According to the latest report released by the Office of the Australian Information Commissioner (OAIC), the Finance sector has reported the second highest number of notifiable data breaches in the second quarter of 2019. Health Service providers are the top of the list.

Overall the number of reports made to the OAIC remains fairly consistent since the inception of the regime, with 245 reports made in total between April and June 2019. The kind of personal information affected is predominantly contact information. Malicious or criminal attacks accounted for 62 per cent of all breaches reported, the majority of which are reported to have involved cyber incidents such as phishing, malware or ransomware, brute-force attacks or compromised or stolen credentials.

The cause of most cyber incidents was compromised credentials, resulting in a notifiable data breach mainly through phishing but also by unknown methods. The finance sector had the highest number of incidents occurring through unknown methods.

Phishing is defined as “an attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords”.

All licensees have an obligation to ensure that the licensee has adequate IT resources to provide their services. This obligation includes procedures in relation to IT security. Phishing and compromised credentials, whilst scams, generally only work when a human lets their guard down ‘clicks on the link’ or responds in some way. Financial services firms are likely to continue to be targeted by these scammers given the amount, and nature, of personal information held by industry participants.

TIP: Licensees should consider whether more steps can be implemented within your business to avoid phishing scams. For example, consider whether you can implement staged verification processes or run more frequent training for staff.