In January 2022, the Identity Theft Resource Center (ITRC) in the United States (US) released the 2021 Annual Data Breach Report (Report).1 Consistent with anecdotal evidence, the Report identified a 68% increase in the number of data compromises from 2020 to 2021.2 In this context, data compromise is an umbrella term describing events where personal information is accessible, while data breach refers to where that information is actually accessed and/or removed.3
The rise in cyber-crime is likely referrable to higher gains to be made from such activities, and the increase in the number of individuals possessing the relevant knowledge. Self-reported losses from cyber-crime in Australia totalled more than $33 billion in the 2021 financial year.4 In addition, COVID-19 necessitated working arrangements which heavily relied on technology outside the safety of the office environment, leaving individuals and organisations more vulnerable than ever.
Over the 2020-21 financial year, Australia also saw an increase of nearly 13% in cyber-crime reports from the previous financial year.5 While low level ‘cyber security incidents’ were down 28%, a higher proportion of incidents were categorised as ‘Category 4’, meaning the incidents had a more profound effect on victim organisations.6
Targets of cyber-attacks
The Report noted that in 2021, the number of data compromises was the highest on record since the first US state data breach notice law became effective in 2003.7 Perpetrators often access an individual’s information or credentials, using that to reach the target company.
Larger organisations are frequently targeted by cyber-criminals to cause major outages and demand larger ransoms. These attacks are not limited to the US, with Australian operators also experiencing cyber-crime on a large scale. On 30 May 2021, JBS Foods (a global meat and food processing company with part of its business operations in Australia) was the victim of a ransomware attack.8 As a result, the company was forced to cease processing and send workers home before confirming on 9 June 2021 that it had paid the cyber syndicate USD$11 million to ‘mitigate unforeseen issues related to the attack and to provide assurance that there would be no further disruption’.9
More targeted attacks known as ‘Supply Chain attacks’ involve cyber-criminals targeting part of a supply chain to access information from multiple organisations.10 In 2021, the ITRC reported 93 Supply Chain attacks, impacting 559 entities.11 While the number of entities affected decreased from 694 the year before, in 2019 there were only 232 entities affected by 104 attacks, evidencing a growing trend of fewer cyber-attacks but more victims.12
One of the more recent Supply Chain attacks involved the US software provider Accellion.13 A cyber-criminal was able to infiltrate the company’s outdated file sharing system, and access data of Accellion’s customers, including law firms and cybersecurity companies. Morgan Stanley was one of the unfortunate third parties who subsequently experienced a data breach. While the cyber-criminals were able to access personal information of its customers, the customers’ financial information was fortunately encrypted by the firm. By encrypting these files, Morgan Stanley was able to mitigate the risk to its customers.
Companies are not the only target of cyber-criminals. In March 2021, one of Melbourne’s larger metropolitan public health services was infected with a Ryuk ransomware variant, causing a partial IT shutdown and the postponement of some elective surgeries.14 The necessity of these vital public services leaves organisations in a vulnerable position, and without an appropriate response plan in place including insurance, these entities often give into demands. In this case, the health service had a business continuity plan with backup available which allowed the health service to continue operating while IT systems were impacted.
The Report noted that the number of victims fell 5% over the 2021 financial year, though the number of consumers whose data was compromised multiple times per year ‘remains excessively high’.15
Valuable information
The information gathered by cyber-criminals varies. The Report revealed that the primary information obtained from cyber-attacks was an individual’s name and full social security number.16 Similar trends were reported in Australia, with 91% of notifications under the notifiable data breach (NDB) scheme involving contact details including name, home address, phone number or email address.17 Concerningly, 55% of the data breaches reported under the NDB scheme included identity information such as date of birth, passport details and driver licence details.18
Cause of data breaches
Cyber-attacks
Cyber-attacks in the US (including phishing, ransomware and malware amongst others) made up 85% of the total compromises reported by the ITRC.19 Phishing was the most common form in 2021, accounting for 33% of data compromises.20 This was followed by ransomware (22%) and malware (9%), with unspecified attacks accounting for 27% of compromises.21 The Australian data shows that malicious or criminal attacks were responsible for 65% of data breaches.22
Human error
The Report recorded 9.5% of data breaches are attributable to human error.23 Within this, incorrectly addressed or misdirected correspondence accounted for 37% of breaches, with failure to configure cloud security making up 30% of breaches.24
Australia reported some 30% of total data breaches as being attributable to human error.25 It is unclear if this is because the metric with which human error is judged may be different between the nations.
Transparency
Notably, the ITRC reported that ‘breach notice transparency’ is decreasing in the US.26 Consumer breach notices were increasingly lacking important details, with up to 607 notices missing details (as opposed to 209 notices in 2020).27
This trend is not expected to be seen in Australia, where the NDB laws have clear and detailed requirements which are regularly and publicly enforced.
Alarmingly, the ITRC noted that notification did not always prompt breach victims to take protective action. Of the 72% of consumers who were aware of a breach notice:
- only 48% changed passwords on the impacted accounts;
- 16% took no action; and
- 3% froze their credit.28
The ITRC notes that freezing your credit is the single most effective way of preventing a new credit/financial account from being opened in your name.29 This process is also available in Australia by emailing the three reporting bureaus and attaching the required documentation.30
Conclusion
With cyber-criminals able to target larger organisations more easily and efficiently, businesses need to ensure that they have appropriate cyber protection and response plans in place to deal with data compromises or breaches. Cyber insurance is now emerging as a necessary part of risk management. Organisations who fall victim to cyber-attacks without proper risk management in place are vulnerable to having their business operations suspended until they deal with the threat. As a flow on effect, organisations may find themselves the subject of claims against them from suspended business operations.
1 Identity Theft Resource Center, 2021 Annual Data Breach Report (Report, January 2022).
2 Ibid 5.
3 Ibid 28.
4 Australian Cyber Security Centre, ACSC Annual Cyber Threat Report 2020-2021 (Report, 15 September 2021) 17.
5 Ibid 10.
6 Ibid 19.
7 Report 3.
8 Australian Cyber Security Centre, ACSC Annual Cyber Threat Report 2020-2021 (Report, 15 September 2021) 34.
9 Ibid.
10 Report 5.
11 Ibid 14.
12 Ibid.
13 Ibid 19.
14 Australian Cyber Security Centre, ACSC Annual Cyber Threat Report 2020-2021 (Report, 15 September 2021) 28.
15 Report 5.
16 Ibid 13.
17 Office of the Australian Information Commissioner, Notifiable Data Breaches Report January to June 2021 (Report, 23 August 2021) 10.
18 Ibid.
19 Report 6.
20 Ibid 8.
21 Ibid.
22 Office of the Australian Information Commissioner, Notifiable Data Breaches Report January to June 2021 (Report, 23 August 2021) 5.
23 Report 6.
24 Ibid 9.
25 Office of the Australian Information Commissioner, Notifiable Data Breaches Report January to June 2021 (Report, 23 August 2021) 5.
26 Report 15.
27 Ibid.
28 Report 16.
29 Ibid.
30 IDCARE, Credit Bans – Australia (Web Page).
This article may provide CPD/CLE/CIP points through your relevant industry organisation.
The material contained in this publication is in the nature of general comment only, and neither purports nor is intended to be advice on any particular matter. No reader should act on the basis of any matter contained in this publication without considering, and if necessary, taking appropriate professional advice upon their own particular circumstances.