OAIC Advises Businesses to secure Personal Information when sending email

Posted: March 2, 2020

Security-as-a-Service. An illustration of a digital vault used to store sensitive personal information

The Office of the Australian Information Commissioner has released its latest report on data breaches involving personal information with a new advice to business – secure personal information sent in emails so that if the recipient’s login credentials are compromised, the information you are responsible for is not at risk of a notifiable breach event.

With almost 33% of breaches occurring via compromised login credentials, criminals are finding all they need to do is mine the Inbox, Deleted and Sent items associated with a login to steal personal information and/or further compromise an organisation.

The OAIC advises businesses transacting personal information to secure it within a data room, sharing links rather than the data itself. They also advise to protect it with a password and, we would add, consider limiting the lifetime of links that point to the data.

The Australian Information Commissioner, Angelene Falk, also highlighted the risk of harm to individuals whose information is mistakenly emailed to the wrong person. Apparently, mistakes in emailing accounts for 9% of breaches reported to the OAIC.

“The accidental emailing of personal information to the wrong recipient is the most common cause of human error data breaches,” Commissioner Falk said.

“Email accounts are also being used to store sensitive personal information, where it may be accessed by malicious third parties who breach these accounts.

She summed up the organisation’s advice as: “Organisations should consider additional security controls when emailing sensitive personal information, such as password-protected or encrypted files.

“This personal information should then be stored in a secure document management system and the emails deleted from both the inbox and sent box.”

The commissioner also announced that in the previous 6 months there had been a 19% increase in the number of data breaches reported to the OAIC. A total of 537 breaches were reported.

Health Service providers and Financial Services are targeted more frequently than other industries. This is because the personal information that such companies control is the most valuable to steal.

The Commissioner also offered a solid assessment on the data breach preparedness of Australian organisations, saying, “There is now increasing focus on organisations taking preventative action to combat data breaches at their source and deliver best practice response strategies”.

“Where data breaches occur, organisations and agencies must move swiftly to contain the breach and minimise the risk of harm to people whose information has been compromised.”

Are you fully prepared for a breach?

Do you understand your responsibilities if a data breach was to occur?

How vulnerable to an attack are you?

Computer One can assess your level of preparedness and vulnerability in an information security audit.

We can also provide Security-as-a-Service where we take responsibility for the entire information security of your organisation. Talk to us on 1300 667 871 if you would like more information.