Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Thousands of charity donors have data leaked on dark web after telemarketer hack

A cyber attack on a telemarketer has resulted in the data of thousands of charity donors being leaked on the dark web.

user icon Daniel Croft
Wed, 23 Aug 2023
Thousands of charity donors have data leaked on dark web after telemarketer hack
expand image

The attack hit Brisbane-based telemarketing firm Pareto Phone back in April. The company is responsible for reaching out for donations on behalf of a number of major charities.

Following the hack, the data of donors across multiple charities was leaked on the dark web. While at this stage, it is unknown how many donors or charities have been compromised, with Pareto Phone responsible for more than 70 charities.

Three charities – the Cancer Council, Canteen, and The Fred Hollows Foundation – have all come forward saying that data belonging to their donors has been published on the dark web.

This brings the total affected across the three to 4,300, with 2,600 from Canteen between 2020 and 2021; 1,700 from Fred Hollows from 2013 to 2014; and “a very small number” from the Cancer Council, which said it is still waiting on verification from Pareto Phone.

While not all 70 charities have been reportedly affected, there is massive potential for that number to grow significantly.

The attack was claimed by cyber criminal group LockBit, which listed Pareto Phone on its dark web leak site on 31 July.

The threat group said it had stolen 150 gigabytes of personal data and that if terms were not met, the data would be released on 7 August 2023.

The Fred Hollows Foundation has said that it is “deeply disappointed” that its data was still held by Pareto Phone, considering it hadn’t used its services for almost a decade.

“We worked with Pareto Phone only during 2013 and 2014. We were not aware our data was still held by them,” the charity said in a statement.

“Under the Australian Privacy Principles, there is a requirement for personal information data to be destroyed or de-identified once it is no longer needed for the purpose for which it was collected.

“This is a requirement all our partners must comply with, and we have requested Pareto Phone delete any remaining data on our donors.”

Another charity, Médecins Sans Frontières (MSF), has raised concerns with Pareto Phone and data retention.

“Under the Australian Privacy Principles, organisations must take reasonable steps to destroy personal information data that is no longer required,” the statement said. “MSF has not worked with Pareto Phone for almost five years.

“Pareto Phone has informed the regulators, the Office of the Australian Information Commissioner (OAIC) and the NZ Privacy Commissioner of their data breach.

“MSF will also work with these regulators to ensure that all necessary action is taken to protect donor data.”

The Australian Cyber Security Centre (ACSC) has said that it is ready to “offer technical advice and remediation as required”, according to Home Affairs.

“Australia’s charities are an important part of our community and do critical work improving people’s lives,” the spokesperson said.

“This incident shouldn’t stop you from donating to charities.”

Professor Nigel Phair, Department of Software Systems and Cybersecurity, Faculty of Information Technology has said that organisations need to be careful when using third party providers, and should ensure that data is not kept beyond what is needed.

“The best way for organisations not to have a data breach is for them to delete customer identifying information post-transaction," he said.

“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers.

“Beyond what organisations can do to safeguard themselves we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cybersecurity. The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified.”

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.