Written by staff writer.
A cyber attack on charity telemarketing firm ParetoPhone has compromised the personal data of thousands of Australians, leading to renewed claims that many organisations are not handling personal identifiable information safely and securely.
The cyberattack occurred in April but was only recently disclosed to its clients as donor data became available on the dark web. So far, the charities confirming the theft of donor details include the Cancer Council, Médecins Sans Frontières (MSF), Canteen, and the Fred Hollows Foundation. ParetoPhone has more than 70 Australian and New Zealand charities as clients.
ParetoPhone, which describes itself as an industry leader in charity fundraising, collects donations on behalf of clients. Among the data stolen are donor’s full names, dates of birth, addresses, email addresses and phone numbers, including some stored for a decade.
Earlier this month, online cyber advisories reported that the LockBit ransomware group had targeted ParetoPhone. The group operates as a ransomware-as-a-service provider, allowing other parties to deploy the malicious software in exchange for a cut of the proceeds.
The Fred Hollows Foundation has disclosed that 1,700 donors over 2013 and 2014 had their personal identifiable data downloaded, which they say did not include financial, credit card or bank account information. “We were not aware they still held our data,” a Fred Hollows spokesperson told media outlets, adding that the Australian Privacy Principles require entities to destroy or de-identify any such data once it is no longer needed.
Oakley Cox, Asia Pacific Analyst Technical Director for Dacktrace, says the data heist highlights the need for organisations to handle personal identifiable information responsibly. “This affects both the business’s reputation and their customers directly. Australian companies need to understand their obligations to their customers when it comes to handling their data,” he said.
In addition to the Fred Hollows Foundation, Canteen says around 2,600 donors over the 2020 – 21 period are impacted, and that it has paused doing business with the telemarketer, while the Cancer Council believes the cyberattack affects only a small number of donors. However, it is still waiting for clarification from ParetoPhone.
In the wake of news breaking about the cyberattack, the Community Council for Australia wrote to Australian Prime Minister Anthony Albanese and Cybersecurity Minister Michelle O’Neil, calling for charities to receive the same level of cyber security assistance as for-profit entities receive in Australia.
“Charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber-attacks,” the August 22 letter read. “The 2023 – 2030 Australian Cyber Security Strategy discussion paper does not mention charities, not-for-profits, or community organisations, although it specifically mentions business 12 times and SMEs twice.”
Cox says the ParetoPhone cyberattack misses the bigger picture. “This incident is the latest in a series of cyber-attacks on Australian businesses which have resulted in personal identifiable information being published on the internet,” he said. “The trend points to a bigger problem in which the data of Australian citizens is being increasingly monetised by cyber criminals. The reasons are many and varied and are often far beyond the control of the targeted organisations or the victims, but the end effect is that the implicit trust you place in organisations when handing over your personal data is being eroded.”
About Author
