The Australian finance sector was responsible for 13% of notifiable data breaches reported to the Office of the Australian Information Commissioner in the first quarter of 2018.
The OAIC Quarterly Statistics report outlined the top five industry sectors that reported breaches in the quarter. Finance (including superannuation) sits at third on the list, behind health service providers and legal, accounting and management services.
The report also described the types of personal information involved in the breaches, which included contact information, financial details, tax file numbers and identity information. Financial details were involved in 30% of notifiable data breaches, including bank account details and credit card numbers.
Human error (50.79%) and malicious or criminal attacks (44.44%) accounted for more than 95% of all sources of breaches reported over the quarter. The OAIC defines malicious or criminal attacks as the theft of personal information or any unauthorised access to the systems of an entity.
The findings of the report arrive after damning results of a Kamino Cyber Security survey were released in March. The survey looked into the sentiment of cyber security in the financial services industry, finding that the owners of financial services businesses were over-confident about dealing with cyber threats, yet only 32% of respondents were aware of the mandatory data breach notification laws.
Additionally the survey found 28% of respondents had full confidence in the cyber security hygiene of their staff.
Kamino managing director Julian Plummer found that the concerns of business owners around cyber incidents were genuine, but not reflected in the preparedness for an incident.
"Most respondents appeared to have a very good understanding of what is at stake in the face of a cyber incident. Customer information is of the utmost importance, and the survey revealed that business owners realise that their brand must be protected from being tarnished by cyber incidents, which could lead to direct revenue loss," he said.
However, this has not been reflected in the preparations and processes which should be set in place to protect advisers, accountants and superfunds from potential cyber-attacks, he said.
The Notifiable Data Breach laws were brought into effect in February, and carry penalties of up to $1.8 million for organisations that don't comply.