More details emerge in charity hack case collapse

The hack attack by the LockBit ransomware group was first made public this time last year, after 150GB of donor and internal data was dumped onto the dark web five months after the hackers breached Pareto Phone’s systems.

Last week, the Community Advocate reported the decision by the Office of the Australian Information Commissioner (OAIC) to quietly shut down its inquiry.

More than 70 charities – including some of Australia’s largest – were affected by the hack, in which the personal information of up to 50,000 donors was put up for sale.

Not-for-profit technology leader Infoxchange believes the OAIC’s decision to drop the case means the sector will miss out on potential lessons from the incident.

“It is disappointing that the Pareto Phone case was dropped as our sector may have learnt more from the results of their investigation,” Infoxchange CEO David Spriggs said.

“This case is another example of how the sector is left vulnerable to cyber risks and attacks, and we once again call on the Federal Government to resource the sector to improve cyber security and more broadly the technology capability of charities and not-for-profit organisations.”

Pareto signed up to fundraising code before breach

This week it emerged that Pareto Phone was a signatory to a fundraising code aimed at protecting donor details.

At the time of the breach, many affected charities complained to both the OAIC and the fundraising peak body, Fundraising Institute Australia (FIA), that Pareto Phone had breached privacy rules by holding onto donor data for years longer than it should have.

FIA chief executive Katherine Raskob said her organisation’s Code Authority had investigated the breach and had been working through “various options” via a confidential process before Pareto Phone shut down and cancelled its membership of the FIA.

She said Pareto Phone had been a member “for many years”.

“Since 2018, staff of Pareto Phone have undertaken the FIA Code training as required of all members (supplier or other) who work in, with or across fundraising.”

Pareto Phone had also been a member under a slightly different name before the telemarketing business was split off and sold to Merchant Place Investments in 2020 for $16.5 million.

Ms Raskob said there were more than 160 third-party suppliers among FIA’s 800 members and said the FIA code employed a “supply chain principle whereby charities who are members must ensure their suppliers are aware of their obligations under the code”.

Ms Raskob said the voluntary code “goes over and above state and federal regulations to guide best practice in fundraising”.

She said that more than 10,000 members had now undertaken code training, which included training in following strict requirements for the security of donor data.

Asked what measures FIA had taken to prevent further breaches, Ms Raskob said the organisation undertook “compliance monitoring of our members in a number of ways including mystery shopping”, as well as providing resources and training on data privacy and security.

But she noted that charities were under pressure “to keep costs as low as possible while ensuring donations are used responsibly”. The FIA, alongside other peak bodies, had unsuccessfully lobbied the government for additional resources in this area.

“More support from government would make a huge difference. Also important is an increased understanding of the need for investment in what is traditionally referred to as ‘overheads’,” she said.

The FIA was among supporters of the Reframe Overhead and Pay What It Takes campaigns to ensure charities and not-for-profits were adequately funded.

Fundraising regulations continue to be in the spotlight, with Charities Minister Andrew Leigh this week writing to states and territories that have so far failed to adopt a universal fundraising framework, despite promising to do so early last year.

Privacy watchdog highlights supplier focus after case dropped

In the wake of the Pareto decision, the Community Advocate asked Privacy Commissioner Carly Kind for more details about why the Office of the Australian Information Commissioner (OAIC) had dropped the case.

Ms Kind was speaking at a “regulators day” event hosted by the Australian Charities and Not-for-profits Commission (ACNC) last week which was attended by hundreds of public servants and sector leaders.

She joined Mr Spriggs as well as the ACNC’s director of compliance, Michelle Cozadinos, in a panel discussion on privacy and cybersecurity for charities.

The OAIC revealed last week that it had dropped the case after questions from the Community Advocate, with the privacy watchdog reasoning that with company in liquidation, “the possible remedies that we could obtain for the community would not be proportionate to the resources required”.

Expanding on that explanation at the ACNC event, Ms Kind said, “we've decided … not to take further steps to pursue Pareto Phone because of the unlikelihood that we would exact [an] outcome for the Australian community, given that the organisation has gone into administration”.

The company collapsed last year owing creditors more than $17 million.

But the case had helped the OAIC to focus the sector’s attention on the risks of using third-party suppliers such as Pareto Phone to conduct fundraising and other services, Ms Kind said.

“We think it's a really illustrative case to help us bring attention to this issue around the use of third-party suppliers, which is becoming more and more common across all aspects of the economy.”

She said it drew attention to the way organisations should consider privacy obligations.

“The Privacy Act does require entities to ensure that any third parties they use are adhering to the privacy obligations that they themselves bear under the legislation,” she said.

This should be possible “through the normal kind of due diligence procedures that you would do in other areas of compliance”, but she said all organisations that contracted others to do some of their work should be certain their suppliers had established data breach notification and data breach response schemes.

If those third parties were subject to a data breach, client organisations would then have “a good understanding … of who will be notified when, and who will handle which aspects of the breach”.

Ms Kind hoped that those clauses would become a commonplace feature of third-party supplier contracts.

The OAIC is updating its guidance for the sector.

Watchdog’s focus on community safety

The OAIC also wanted to reassure the sector that a data breach need not be a contravention of the Privacy Act, as in cases where entities had little fault in the matter, and where they’d already established a strong cybersecurity framework.

“Data breaches coming from either incredibly sophisticated cyber-attacks, or momentary lapses in process or technology … don't necessarily warrant an investigation on the part of my office,” she said.

She also wanted to assure organisations that reporting a breach did not mean that an organisation was more likely to be investigated.

“What it does make you more likely to be is in compliance with obligations around data breach notification, and able to respond to the concerns of the community, who, after all, are at the heart of data breach notification schemes.”

Ms Kind told delegates that good cybersecurity and data governance were essential to maintaining trust with donors and complying with legal obligations. And she flagged changes to the Privacy Act that might remove exemptions that charities currently enjoy, which would require them to upgrade their data governance practices to stay compliant.

She said there had been more than 1000 data breaches in the past year, up 13% on the previous year, mostly as a result of malicious attacks, but she said a significant number had been caused by human error, and training and good internal processes would reduce the risk.

Sector still has a way to go to counter cyber threats

David Spriggs from Infoxchange – speaking at the regulators day – said his organisation’s most recent scan of technology issues in the sector had found that of more than 1000 organisations, more than half were not using multi-factor authentication (MFA) throughout their systems, and the rate had improved by just 5% over the past 12 months.

Infoxchange had done what it could to increase the ability of organisations to prepare and respond to cyberattacks, such as through its Cyber Safe Hub, he said.

He said NFP leaders should make cybersecurity a regular item on board agendas, implement MFA immediately, and conduct regular staff and volunteer training.

The Institute of Community Directors Australia and other organisations have compiled free resources to assist organisations with good cyber, data and privacy governance.

The ACNC’s Michelle Cozadinos accepted that smaller charities were finding it harder to tackle the cyber threat, and that even though most were aware of available guidance and support, the issue remained costly and challenging. She said the ACNC was set to update its guidance based on sector feedback.

Asked to comment on the Pareto Phone case developments, an ACNC spokesperson said the regulator did not have jurisdiction over telemarketers that operated for charities.

But they said the ACNC had produced guidance for charities working with fundraising agencies which stressed that organisations should undertake a close review of any agency’s track record, experience, policies and practices before signing any contracts.

More information

Cybersecurity remains a hot-button issue for NFPs (includes resource links)