The leaked information has raised serious concerns about the potential consequences for both donors and the charities they support. With personal information now available on the dark web, affected individuals could be at risk of identity theft, scams, and other forms of cybercrime.
Charities, on the other hand, could suffer reputational damage as a result of the breach, potentially leading to a decline in public trust and donations.
Charities and the telemarketing company are working closely with cybersecurity professionals to contain the breach and prevent further unauthorised access.
Affected donors are being notified and provided with guidance on how to monitor their financial accounts and protect themselves from potential fraud. The incident has also prompted calls for stricter data protection regulations to safeguard personal information collected by charitable organisations.
The telemarketing company gathered donations from supporters, and one charitable organization has alleged that the company held onto documents dating back nine years without their knowledge, potentially violating privacy regulations.
The Cancer Council, Canteen, and Fred Hollows Foundation have acknowledged that donor details have surfaced on the dark web.
Fred Hollows Foundation disclosed that around 1,700 of its doners were impacted, asserting that the data had been stored without the charity’s knowledge.
Expressing profound disappointment, the foundation released a statement, clarifying their association with Pareto Phone only during 2013 and 2014. They were unaware that their data was still retained by the company.
The Australian Privacy Principles dictate that personal information must be either deleted or anonymised once its original purpose of collection is fulfilled. This is a mandate that all partners must adhere to. The foundation has formally requested Pareto Phone to expunge any remaining donor data.
Another charitable entity has accused Pareto Phone of unlawfully retaining information, contrary to Australian privacy laws.
Médecins Sans Frontières (MSF) issued a statement today, stating that they haven’t utilized the services of this third-party fundraiser since 2018.
According to the Australian Privacy Principles, organisations are obliged to take appropriate measures to eliminate unnecessary personal data.
Highlighting that it has been nearly five years since their collaboration with Pareto Phone, MSF has revealed that Pareto Phone has notified the relevant authorities, including the Office of the Australian Information Commissioner (OAIC) and the NZ Privacy Commissioner, about the data breach.
Head of Government Affairs and Public Policy ANZ, at Palo Alto Networks Sarah Sloan says the leak of the personal information of Australian donors is an unfortunate outcome for everyday Australians and the charities supporting those most in need, demonstrating how low cyber criminals are willing to stoop in search of a payday.
“On the back of high-profile cyber-attacks such these, it is important we review and assess the effectiveness of our national cyber security policies, legislation, and cyber advisories,”
“The Federal Government is already undertaking a review of the Privacy Act to ensure that it reflects Australia’s values and community expectations when it comes to securing personal information – including whether these obligations should apply more widely across our economy,” said Sloan
“The Government has also committed to updating the Cyber Security Strategy and set the ambitious goal of becoming the most cyber-secure nation by 2030,”
“As Australia embarks on the journey of crafting its next Cyber Security Strategy, it must look to strengthen public-private partnerships, ensure a robust ICT supply chain, and support the widespread adoption of leading technical policies – such as zero trust and attack surface management,” she said.
The breach of donor information from Australian charities serves as a sobering reminder of the evolving cybersecurity landscape and the vulnerability of personal data in the digital age.
Protecting Organisational Data
Professor Nigel Phair, Department of Software Systems and Cybersecurity, Faculty of Information Technology says the best way for organisations not to have a data breach is for them to delete customer identifying information post-transaction.
“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers,”
“Beyond what organisations can do to safeguard themselves we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cybersecurity,”
The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified,” he said.
Jacqueline Jayne – Security Awareness Advocate APAC at KnowBe4 says charities, are often operating on tight budgets. As a result, cybersecurity is often an afterthought, or pursued on a best endeavours basis.
“They can be easy targets for cybercriminals. Charities usually collect a lot of personal information on donors, including payment or other banking information, as well as processing a large number of transactions,”
“Like most attacks, criminals will frequently target charities through phishing emails (malicious emails) or other social engineering attacks,“ said Jayne
“So, defending against them is not just a case of having technical controls in place, but also providing new school security awareness training to staff and an opportunity to practice their new skills with simulated phishing and social engineering activities,“
“The intent here is to support your people to make better decisions online where they are less likely to fall victim to such an attack. Attacks against charities on the whole are particularly impactful,”
“Not only do they impact the charity themselves, and the donors, but also the causes they support which often heavily rely on the work of the charities.” she said.
Cancer Council Cuts Connections With Pareto Phone
The Cancer Council said it was waiting on Pareto Phone to clarify how many of its donors had been adversely affected, but said it was so far a “very small number”.
“We understand that this may be a concerning situation for anyone who has generously donated to Cancer Council, and we unreservedly apologise for any distress caused,” a statement read.
Pareto Phone was targeted by cybercriminals in April, in an attack the Department of Home Affairs described as “deeply concerning”.
“Australia’s charities are an important part of our community and do critical work improving people’s lives. This incident shouldn’t stop you from donating to charities,” a department spokesperson said.
The National Cyber Security Coordinator had been notified, and Australian Signals Directorate’s Australian Cyber Security Centre “stands ready to offer technical advice and remediation as required,” the statement read.
Forensic specialists to Analyse Affected Files
In a statement, the company’s CEO Chris Smedley apologised for the distress the breach had caused, and said the company was working “urgently” with forensic specialists to analyse affected files.
“We have not at this stage identified any identity documents such as tax file numbers, driver licenses and passports about any donor,” Mr Smedley said.
The potential for further data publication remains, as the interval of four months between the attack and the data leak provides an opportunity, according to Paul Haskell-Dowland, a Cybersecurity Practice professor at Edith Cowan University.
“The publication of the data on the dark web doesn’t necessarily mean that it’s all of the data that the criminals hold,” Professor Haskell-Dowland said.
“If you are looking to get maximum effect, following with this set of data, you may well release particular sets of information to reinforce the fact that you have the data … like a proof of life in a kidnap case,” he said.
As investigations continue and impacted individuals take steps to safeguard their information, the incident underscores the urgent need for robust cybersecurity protocols and heightened awareness to protect both donors and the organisations they support.
