One little typo in an email address. That’s all it took for the personal information of 317 people to be sent to an unknown recipient: dates of birth, passport numbers and medical test notes – a jackpot for any cyber criminal involved in credential or identity theft.
Worse still, the transmission of the data contravened the policy of the organisation the subcontractor concerned was supposed to be acting for, the Department of Immigration.
The subcontractor departed from protocol by transferring visa applicants’ data from the department’s systems into Excel spreadsheets which were then emailed as status reports – until one of them went astray.
Subcontracting of tasks involving data is increasingly common but, as this case shows, it’s important that security practices are understood and followed to the letter.
According to the 2019 Notifiable Data Breaches Statistics Report for the first quarter, 35% of notifications were due to human error: either unintended or unauthorised disclosures, or transmission to the wrong recipient.
What goes wrong most often
The most common types of mistakes resulting in data breaches were
- erroneous emails (45.7)
- unauthorised disclosure or release of information (31.6%)
- loss pf paperwork or data storage device (23%)
- posted information sent to the wrong recipient (21%).
Other mistakes included
- failing to use BCC when sending an email,
- failure to redact unauthorised disclosures
- insecure disposal of information
- verbally disclosing classified information.
The industries where these mistakes occurred most were
- health services
- legal services
- management services
- personal services.
“Limiting cyber risk takes more than online or computer-based solutions,” Robyn Adcock, Cyber Technology Practice Leader at Gallagher, says.
“Regular staff training is a really important way to make sure your business is protected, as people are often the weakest link in the defence of a business.”
The Federal Government’s Australian Cyber Security Centre recommends internal staff training for new starters, refresher training, regular communication about cyber threats and reminders about safe online behaviour.
For external contractors: work with your contractor’s IT or information security contacts to ensure relevant staff get appropriate training. Establish minimum security standards that suppliers must comply with and validate compliance through audits.
Mitigating against cyber attacks is the best method to avoid any potential damage to a business but cyber insurance can also help to pick up the pieces should something go wrong.
Gallagher can help businesses formulate preventative strategies, as well as deal with the impact of a data breach. Talk to a Gallagher cyber specialist about how our Gallagher cyber security specialists can help you limit your cyber security exposure.