Incident: Thousands of donors to Australian charities, including Cancer Council and Canteen, have data leaked to dark web | ABC News (Australia)
Australian Telemarketer Breach, 23 August 2023
Pareto Phone, a Brisbane-based telemarketing company that contacts potential donors on behalf of charities, was hacked by cybercriminals in April
Amnesty International Australia, Australian Conservation Foundation, Wilderness Society, Cancer Council Cancer, The Fred Hollows Foundation, Canteen, Heart Foundation Heart Foundation, Medecins Sans Frontieres
Company Statements:
- Amnesty International Australia’s (AIA) – PARETO PHONE CYBER INCIDENT Statement
- Australian Conservation Foundation Statement on Pareto data breach
- Wilderness Society – Statement Pareto Phone data incident
- Sources:
- Thousands of donors to Australian charities, including Cancer Council and Canteen, have data leaked to dark web | ABC News (Australia)
- 24 Aug 2023: Australian Conservation Foundation says data of 13,500 donors caught up in Pareto Phone hack | ABC News (Australia)
- Multiple Australian charities have had donor information leaked onto the dark web. Here’s what we know | ABC News (Australia)
- Privacy watchdog ‘monitoring’ telemarketer after financial information posted to dark web in data breach | ABC News (Australia)
View more incidents from Charities and Not For Profit sector and incidents relating to Queensland
Pareto Phone, a Brisbane-based telemarketing company that contacts potential donors on behalf of charities, was hacked by cybercriminals in April.
In a statement on Wednesday, Pareto Phone’s CEO, Chris Smedley apologised for the distress the breach had caused and said the company was working “urgently” with forensic specialists to analyse affected files. He did not respond to The Fred Hollows Foundation’s claim.
More than 320,000 files stolen from Pareto servers by cybercriminals in April were made public on the dark web last month, including tens of thousands of charity donor details.
Staff Information: Highly sensitive documents like police checks, child support documents, pay negotiations, HR incidents, immigration sponsorship details, COVID vaccination credentials, tax file numbers, passports and licences were also swept up in the wide-reaching leak.
Donor information including full names, date of birth, addresses, email addresses and phone numbers had been released, but not financial information.
The ABC understands more than 70 Australian charities used Brisbane-based Pareto Phone, but not all had been affected.
The Cancer Council, Canteen and Fred Hollows Foundation have confirmed donor information has been published on the dark web.
The Fred Hollows Foundation said 1,700 of its donors were affected, and claimed the data had been held without the charity’s knowledge.
In a statement on Wednesday morning, Médecins Sans Frontières (MSF) said it had not engaged the third-party fundraiser since 2018.
“Under the Australian Privacy Principles, organisations must take reasonable steps to destroy personal information data that is no longer required.
“MSF has not worked with Pareto Phone for almost five years.
“Pareto Phone has informed the regulators, the Office of the Australian Information Commissioner (OAIC) and the NZ Privacy Commissioner of their data breach.
Australian Conservation Foundation
“ACF can regretfully confirm some of our supporters’ personal information has been compromised in the Pareto data breach. We have notified 13,500 supporters who have been affected. We understand no ACF supporters’ credit card information or identifying documents are involved.
We trusted Pareto with our supporters’ personal information so the company could help us raise funds to continue our environmental protection and advocacy work. We are concerned Pareto kept old data it should have destroyed. We are suspending our relationship with Pareto immediately.
Wilderness Society
Unfortunately the identified files include some Wilderness Society supporter data. Pareto Phone has informed us that they have not identified any compromised data files related to Wilderness Society supporters that contain credit card or bank account details.
Please note that the Wilderness Society’s own systems have not been impacted by this incident in any way.
Wilderness Society – Statement Pareto Phone data incident
