Industry target of malicious, criminal attacks

Malicious or criminal attacks account for more than half of data breaches that affected the insurance industry, the Office of the Australian Information Commissioner’s (OAIC) latest update for the half-year to December shows.

The insurance industry notified the OAIC of 32 breaches during the period, of which 17 were blamed on malicious or criminal attacks and the remaining 15 were caused by human error.

The December half update shows the insurance industry remains among the top-five list of sectors with the most cases reported to the OAIC. The industry emerged for the first time in the top-five list in 2020.

Industry experts say they are not surprised by the OAIC findings, pointing out insurers are targeted because of the valuable data in their possession.

“In all probability, it will come as no surprise to insurers to find themselves in the top five of reported cases in the latest data breach report,” Sparke Helmore Lawyers Partner Commercial Insurance Mark Doepel told insuranceNEWS.com.au today.

He says the key issue to note is that the majority of breaches sustained by insurers come about through malicious and criminal attacks.

“These attacks are focused attacks, with a specific and deliberate target,” Mr Doepel said. “In this regard, insurance companies are a veritable treasure trove of the types of data that malicious hackers are after.”

He says the industry presents a “potential Aladdin’s cave of highly desirable information” if one takes into account all aspects of the operations of an insurance company and the information which will be collected, from underwriting and policy distribution, through investment and claims issues.

“Insurers present a very appealing target,” Mr Doepel said, pointing out the data they hold such as identity information and financial details “are all very highly prized on the dark web”.

Nicole Gabryk, Special Counsel in Wotton + Kearney’s Cyber, Privacy & Data Security team, says any business which revolves around financial transactions is a target.

“Insurers pay large volumes of claims on a daily basis which makes insurers a target for cyber criminals,” she told insuranceNEWS.com.au.

“[They] deal with large volumes of sensitive and valuable personal information and will continue to face an onslaught of cyber-attacks for the foreseeable future – that is reflective of the high volumes of breaches for these industries presented in the OAIC report.”

Health has the most breaches, at 83, followed by finance (56), legal, accounting & management services (51), personal services (36), education (32) and then insurance, also on 32.

OAIC does not provide information on insurance companies affected by data breaches even on an anonymous basis but the half-year update gave a breakdown on the 17 malicious or criminal attack cases.

It says 13 of the malicious or criminal attacks were social engineering/impersonation, three were cyber incidents and one related to rogue employee/insider threat.

A brute-force attack, one phishing case and another involving compromised or stolen credentials make up the three cyber incidents.

Click here for the Notifiable Data Breaches report.