Australian Not-for-profit Hacked, 28 April 2023

Amnesty International Australia slow with disclosure after December hack

Amnesty said none of the information met the legal threshold that would have required Amnesty to disclose.

Company statement: Amnesty International Australia Breach Notification
Source: Amnesty International Australia slow with disclosure after December hack | SMH

View more incidents from Charities and Not For Profit sector.

Hackers accessed Amnesty International Australia donor information in an attack last year that the human rights charity waited for four months to disclose.

In a statement posted to its website on Friday, five days after queries from this masthead, Amnesty said it had detected the attack on December 3, 2022. The charity said it subsequently secured its IT systems and started an investigation.

The Amnesty Australia spokeswoman said the organisation took cybersecurity seriously and had made its systems more secure. The hack affected only Amnesty International Australia, not other branches of the global human rights advocacy group. The organisation was unable to work out who was behind the attack or the motivation behind it.

Interestingly, we have a report from Amnesty Canada around the same timeframe. “Amnesty International Canada says it was targeted by China-sponsored cyber attack – ABC (Australia)“. Coincidence???

“In the course of this investigation, we identified that some low-risk information relating to individuals who made donations in 2019 was accessed,” a spokeswoman said.

She said none of the information met the legal threshold that would have required Amnesty to disclose the breach to affected donors or the Office of the Australian Information Commissioner, which tracks hacks, because it was incomplete, already public or had scant potential to cause damage.

I would really like to see their determination on this. I can think of several state actors who would like to know who is donating to Amnesty. My guess is that this would present more risk than the usual privacy breach with potential retribution from state actors. Though there is little detail in the reports make an informed judgement.

This raises one of my biggest concerns over the Australian Notifiable Data Breach (NDB) scheme leaving the wriggle room over ‘result in serious harm’. At a minimum the details should be notified and OAIC can override the decision not to inform users or enforce actions if rectification and mitigation actions are not adequate.

“Our investigation found no evidence that any information has been or will be misused,” she said.

Hacks must be disclosed if they are likely to result in “serious harm to one or more individuals, and the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action”.