More charity donor leak details emerge as watchdog poised to launch probe

Posted on 30 Aug 2023

By Matthew Schulz and Greg Thom, journalists, Institute of Community Directors Australia

UPDATE: Several more charities have confirmed they are among the victims of a massive data breach affecting up to 70 organisations and 50,000 donors amid concerns that a hacked telemarketer held data for far too long.

As more details of the leak came to light, authorities continued a preliminary investigation into the hack of charity telemarketer Pareto Phone, while a formal complaint about its data retention practices was lodged with Australia’s peak fundraising body.

A dark web monitoring service has joined officials warning groups to take the risks more seriously, while the charities peak called on the government to do more to help charities battle the cybersecurity threat.

Since the hack came to light last week, a growing list of charities identified themselves as victims of the LockBit hack of the third-party charity telemarketer.

Intelligence platform Falcon Feeds said 150GB of sensitive data collected by the Brisbane-based company was released onto the dark web by the LockBit group this month.

Now many of those charities, with the help of Australian authorities, are scrambling to advise affected donors about how to protect themselves from fraud and scams.

Plan International Australia has lodged a formal complaint with Fundraising Institute Australia, the national fundraising peak body, which requires members to abide by a code of conduct, including ensuring appropriate security measures for data, and valuing privacy and confidentiality.

Data hack happened months ago

LockBit operatives first snatched the data in late April.

While Pareto informed some charities at the time that it had suffered a “cyber incident”, it told Amnesty International, Plan International Australia and others that “there was no evidence that data had been downloaded or taken”.

But after the data dump this month, Pareto changed its advice, telling organisations that donor information had been affected in many cases.

According to a dark web watcher’s report of the hack seen by the Community Advocate, the LockBit ransomware group listed Pareto Phone on its “data leaks portal” on July 30 before publishing files a week later.

Listed folders include “caller data”, “finance”, “client secure data”, “data services” and folders containing Pareto’s policies and procedures, commercial documents, and personal folders. The list of stolen files runs to more than 1100 pages.

Pareto Phones stops taking media calls as victim list grows

More charities have been added to the roll call of affected organisations almost daily since the breach was made public. Among the victims (tap for public statements where available):

Australian Conservation Foundation (13,500 donors)
Amnesty International (1500 donors)
Bush Heritage Australia (2605 donors)
Canteen (2600 donors)
Cancer Council (still assessing numbers)
Children’s Cancer Institute (administrative files only)
Fred Hollows Foundation (1700 donors)
Legacy Australia (a "small number of donors")
Médecins Sans Frontières (numbers being assessed)
Plan International Australia (8000 donors)
Save the Children (numbers being assessed)
Stroke Foundation (numbers not disclosed)
Vision Australia (numbers not disclosed)
WWF Australia (20,500 donors)

Many affected organisations raised concerns that Pareto kept data from more than 15 years ago, in breach of government guidelines, which require data to be destroyed or de-identified if it is no longer being used.

Several organisations said they had cut ties with Pareto.

The Community Advocate asked Pareto Phone to respond to a series of questions, including whether it may have breached privacy and data retention rules.

An informal response came from public relations firm Porter Novelli, which did not respond to any questions, except to confirm that “Pareto is focused on our investigation”.

The company’s CEO, Chris Smedley, previously released a statement to ABC News to apologise for the distress the breach had caused and to confirm Pareto Phone was working urgently with forensic specialists to analyse affected files.

"We have not at this stage identified any identity documents such as tax file numbers, driver licences and passports about any donor," Mr Smedley said.

ABC News reported Mr Smedley as saying that Pareto Phone continued to make calls on behalf of charities and was committed to protecting information held on their behalf.

“Leaving charities to fend for themselves in dealing with the threat posed by global cyber-security attacks is not an acceptable policy approach.”

Community Council for Australia letter to the PM

Peak body demands more help from feds

In the wake of the massive breach, charities peak body the Community Council for Australia (CCA) called on the government to better protect charities from cyberattacks.

In a letter to the Prime Minister Anthony Albanese and Minister for Cyber Security Clare O'Neil, the CCA board raised concerns about a lack of support for charities in dealing with the threat.

The CCA said it had been pointing out for some time that Canberra provided special cyber-security programs for small business but offered no significant support for charities and not-for-profits.

“Leaving charities to fend for themselves in dealing with the threat posed by global cyber-security attacks is not an acceptable policy approach.”

Dear Prime Minister,

We write expressing our serious concerns about cyber security risks to Australian charities and NFPs.

Every organisation in Australia is aware of the growing threat posed by bad actors seeking to exploit illegal access to information.

For businesses, including SMEs, your government has provided various programs and incentives to promote better data security and preparedness. Most of these incentives are in the form of tax concessions and grants (e.g. The Cyber Security Business Connect and Protect Program, the Cyber Wardens program for small business).

The 2023 – 2030 Australian Cyber Security Strategy discussion paper does not mention charities, not-for-profits, or community organisations, although it specifically mentions business 12 times and SMEs twice.

Governments across Australia do not always recognise the size and nature of the charities and not-for-profit sector. Charities alone employ over 1.3 million workers or 10.5% of the Australian workforce, and contribute over 5% to GDP in our annual turnover of $190 billion. Perhaps more importantly in the context of cybersecurity, charities hold extensive personal and financial information from millions of Australians.

Despite this massive footprint in our economy and in our lives, charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber-attacks. Unlike business, charities spend every spare dollar they can find on serving their communities. Allocating more resources to strengthen cyber security would mean reducing the level of services available in our communities. Many charities and NFPs struggle to withdraw services, even though cybersecurity is clearly an important priority.

There will be cyber-attacks on charities and there is real potential for certain kinds of attacks to significantly damage confidence and trust in our sector. Cyber-attacks in our sector could also have devastating impacts on individuals and communities.

We ask that you consider providing increased support for charities across Australia to be able to review their current cybersecurity preparedness and to invest in better data security and protection. This is no more than what your government is already providing to business.

Leaving charities to fend for themselves in dealing with the threat posed by global cyber-security attacks is not an acceptable policy approach.

We look forward to your response.

Yours sincerely,

Rev Tim Costello AO, Chair, Community Council for Australia
David Crosbie, CEO, Community Council for Australia

22^nd of August 2023

Community Council for Australia Board of Directors 2023

Rev Tim Costello CCA Chair
Claire Robbs CCA Deputy Chair and CEO, Life Without Barriers
Louise Baxter CEO, Starlight Children’s Foundation
Jon Bisset CEO, Community Broadcasting Association of Australia
Sharon Callister CEO, Mission Australia
Anna Draffin CEO, Public Interest Journalism Initiative
Deirdre Cheers CEO, Barnardos Australia
Richard Mussell CEO, RSPCA Australia
Mark Pearce CEO, Volunteering Australia
Marc Purcell CEO, Australian Council for International Development
Suzie Riddell CEO, Social Ventures Australia
Nicola Stokes General Manager, AMP Foundation

Charities working to ease donor concerns

In most cases, affected charities have been at pains to stress that no credit card information, banking details or important identification documents were leaked onto the dark web.

Plan International Australia confirmed credit card details of some donors from 2009 had been released, although those details had long since expired.

Plan was among several organisations that raised questions about Pareto’s data retention practices that meant information from as far back as 2007 was kept on its servers.

Plan International Australia's Susan Legena

Plan International Australia CEO Susan Legena said “all activity with Pareto Phone has been suspended and we are no longer working with this business”.

“We trusted Pareto Phone, and we were not aware that this data was still held by Pareto Phone. In keeping this data, Pareto Phone has breached Australian Privacy Principles as well as our own agreement for the data to be destroyed. We have made a formal complaint to the Fundraising Institute of Australia in relation to Pareto Phone and this matter.”

The Australian Conservation Foundation said it had alerted 13,500 supporters affected by the breach.

An ACF spokesperson said the organisation was “dismayed” that personal information was compromised, but stressed no credit cards or identifying documents were involved, there was no evidence the information had been misused, and its own systems had not been affected.

It is among a number of organisations to have raised concerns about Pareto’s data retention practices and said, “We are concerned Pareto kept old data it should have destroyed.”

ACF is among several organisations to have severed relationships with Pareto.

The Fred Hollows Foundation said even though it had not worked with Pareto Phone for nine years, the private details of 1,700 of its donors – which do not include financial details – had been affected.

The charity also said in a statement that it was “deeply disappointed” at the breach and that it was unaware the personal details of donors were still being held by the telemarketer, in breach of privacy laws.

“We worked with Pareto Phone only during 2013 and 2014. We were not aware our data was still held by them.

“Under the Australian Privacy Principles, there is a requirement for personal information data to be destroyed or de-identified once it is no longer needed for the purpose for which it was collected.

“This is a requirement all our partners must comply with. We have requested Pareto Phone delete any remaining data on our donors.”

Canteen, which supports young people battling cancer, contacted 2,600 of its donors after information including names, dates of birth, addresses, email addresses and phone numbers was compromised.

“It has taken some significant time to understand exactly what personal information about a subset of Canteen supporters has in fact been accessed,” a spokesperson said.

“We’re deeply upset that our supporters have been impacted by a data breach at Pareto Phone, a company contracted by Canteen, and we have paused all activity with them.

Canteen said anyone who had not already been contacted had not been affected by the data breach, and that at this stage no financial information had been compromised.

Cancer Council Australia CEO Professor Tanya Buchanan said the organisation was waiting to hear more detail from Pareto Phone as to how many of its donors had been affected and the type of data involved.

“Cancer Council understands that we are one of many charities that Pareto Phone has worked with that have been impacted by their data breach,” said Professor Buchanan.

She said as information came to hand, the charity was immediately notifying anyone who had been adversely affected, which to date was “a very small number.”

Professor Buchanan als said the Cancer Council was no longer using Pareto Phone.

Médecins Sans Frontières (MSF) used Pareto Phone until 2018 and in a statement, MSF said, “Pareto Phone have advised that some personal information from MSF donors has been compromised in this data breach.”

“We are currently working with Pareto Phone to understand the impact that this breach may have had. We are contacting any affected MSF supporters as soon as it is clear who has been affected and what information has leaked.”

Many organisations, including WWF Australia, have advised supporters to review their security.

In advice mirrored by other organisations, it urged its donors to take the following actions:

remain alert to fraudulent and suspicious activity
seek support from IDCARE – Australia’s national identity and cyber support service
review passwords
seek more information on cyber security.

Ransomware attacker identified by dark web watcher

Global data threat intelligence platform Falcon Feeds, which tracks more than 25,000 dark web sources, has identified the hackers as coming from the LockBit ransomware group.

It said LockBit had obtained 150 GB of data in the hack.

According to the Australian Signals Directorate, 18% of all ransomware incidents in the country in the year to March 2023 originated from the LockBit group.

The ASD described LockBit as the most common ransomware variant in the world and said it had been “prolific” in the past year, recruiting “affiliates” to attack an array of sectors using a wide range of tactics.

“This variance … presents a notable challenge for organisations working to maintain network security and protect against a ransomware threat,” the ASD warned.

Cyber Security Connect journalist David Hollingworth, in an analysis of the data dump, said the information appeared to have been downloaded from a single hard drive.

But he said “the elephant in the room” was the issue of data retention.

“This is a huge trove of data, some of it nearly two decades old. A lot of it is detailed, much of it involves personally identifiable information, and some of it is quite sensitive. In other words, it is very useful data for scammers and phishers, who might be able to grab the name of someone from accounts, spoof their email address, and then contact another employee to catch them in a scam. And that’s just the tip of the iceberg.”

Falcon Feeds’ Nandakishore Harikumar urged organisations to take a multi-pronged approach to protection.

This included:

regularly updating staff with training on and awareness of the “current threat landscape”, and helping them recognise suspicious emails, links, and attachments to prevent cyber threats
keeping systems up-to-date to minimise vulnerabilities
having a reliable backup system to avoid issues with restoring data
contacting security vendors for periodic security audits to identify vulnerabilities
having a comprehensive incident response plan, which should be regularly updated.

“This cannot be achieved through a single process; you need to have combination of tools, strategy and practices,” Mr Harikumar said.

He said organisations should know that LockBit was just one of a number of ransomware groups, with names such as Noescape, Play, Medusa, Thysida, Cl0p, 8Base, Akira and Knight.

He said organisations could also be targeted by DDoS (distributed denial of service) attacks by Anonymous Sudan and Noname, which had run an OpAustralia campaign.

He warned that attackers were now using generative AI to develop more sophisticated phishing methods to deceive users into revealing crucial access information, such as passwords.

How the latest version of LockBit exploits data vulnerability.

Formal probe on the cards as watchdog seeks more details

The Office of the Australian Information Commissioner (OAIC) said it had been notified of the cyber-attack and continued making preliminary inquiries into the case.

According to its guidelines, inquiries are often a prelude to a formal investigation.

“The OAIC is monitoring the situation to ensure that the requirements of the NDB scheme have been met,” an OAIC spokesperson said.

Under the Notifiable Data Breaches (NDB) scheme, organisations covered by the Privacy Act must notify the OAIC and affected individuals as soon as practicable if they “experience a data breach that is likely to result in serious harm to individuals whose personal information is involved”.

A survey last year by not-for-profit tech support agency Infoxchange revealed many NFPs were unprepared to deal with cyber security threats.

The Digital Technology in the Not-for-Profit Sector study revealed that more than 54% of NFPs have conducted no staff training in cybersecurity.

Just under half don’t have a response plan to deal with data breaches.

Commenting at the time of the Optus data breach late last year, Australian Information Commissioner and Privacy Commissioner Angeline Falk said recent data breaches were a wake-up call for every organisation.

“Organisations in the not-for-profit sector can reduce the risk of human error by promoting staff awareness about secure information handling practices,” she said.

Ms Falk urged organisations to collect only necessary personal information and then to delete it when no longer needed.

She suggested that organisations should visit the OAIC website for advice.

Australian Privacy Commissioner and Information Commissioner Angeline Falk.

Charities regulator urges checks when working with third parties

A spokesperson for the Australian Charities and Not for profits Commission (ACNC) said that while working fundraising agencies enables charities to raise funds while allowing them to focus on charitable purposes, responsible people at those charities should conduct due diligence to ensure they were sufficiently informed about the policies, processes and practices of a fundraising agency before entering into any agreement.

This included ensuring fundraising agencies have policies for data protection (including financial information security), and for managing risk and effectively responding in the event of a cybersecurity attack, or data breach.

The federal government has worked in recent years on fundraising reform and reached agreement in February to adopt a set of National Fundraising Principles – including principles relating to working with commercial fundraisers and the collection, use and management of information.

Fundraisers watching developments closely

GiveNow, a donations platform which is a sibling enterprise to the Institute of Community Directors Australia (ICDA), is among fundraising platforms watching the breach closely.

GiveNow executive director Cathy Truong said the breach was just the latest to hit the sector.

“It is devastating for all parties involved, especially the unsuspecting donors,” Ms Truong said.

“While no financial information was included in this breach, it is the theft of personal information that is distressing for donors.”

Ms Truong said the cyber attack was a timely reminder of the responsibilities of all players in the fundraising sector to maintain data security, including:

asking third party providers about their security protocols before engaging with them
being discerning about what information is handed over. This includes giving only the data needed to fulfil the task.
not collecting more information from donors than absolutely necessary.

“We at GiveNow recommend that our organisations collect no more personal information than first name, last name and email address from donors,” said Ms Truong.