cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Bush Heritage Australia joins growing list of Pareto Phone breach victims

Not-for-profit conservation organisation Bush Heritage Australia has announced that it has been made aware that data belonging to its donors has been impacted in the Pareto Phone data breach.

user icon Daniel Croft
Thu, 24 Aug 2023
Bush Heritage Australia joins growing list of Pareto Phone breach victims
expand image

“Bush Heritage Australia has been informed by former telemarketing partner Pareto Phone that it has experienced a data security breach and that Bush Heritage Australia donor information has been impacted,” the statement said.

“The breach relates to telemarketing campaigns conducted by Pareto Phone on behalf of Bush Heritage Australia in 2012–14.”

The charity has said that data was “limited to surname, city, postcode, state, email, and date of birth,” and that Pareto Phone did not collect any financial information such as credit card info, as it did with some other charities.

“Bush Heritage Australia is currently analysing the data to understand who has been impacted.”

Bush Heritage Australia reaffirms that its “generous community of donors” are its number one priority, and it advises anyone concerned to remain vigilant and alert.

“Bush Heritage Australia wishes to assure its supporters that it is reviewing and monitoring the data security event and will communicate any updates as soon as possible.”

The attack hit Brisbane-based telemarketing firm Pareto Phone back in April. The company is responsible for reaching out for donations on behalf of a number of major charities.

Following the hack, the data of donors across multiple charities was leaked on the dark web. While at this stage, it is unknown how many donors or charities have been compromised, with Pareto Phone responsible for more than 70 charities.

The Pareto Phone data was first listed by LockBit on its leak site on 31 July, with the group listing a deadline of 7 August. While not explicitly stated, LockBit had likely reached out to Pareto Phone demanding a ransom payment for the deletion and/or decryption of the stolen data, based on the criminal groups previous activities.

The threat group said it had stolen 150 gigabytes of personal data and that if terms were not met, the data would be released on 7 August 2023.

“FILES ARE PUBLISHED,” said the group on its dark web leak site, seen by Cyber Security Connect.

While it is unclear whether all of Pareto Phone’s charities have been affected, the number of charities announcing that their data has been compromised is likely to grow.

The breach raises concerns regarding data retention, with some of the data listed dating back to as early as 2007.

Professor Nigel Phair, department of software systems and cybersecurity, faculty of information technology, has said that organisations need to be careful when using third-party providers, and should ensure that data is deleted.

“The best way for organisations not to have a data breach is for them to delete customer identifying information post-transaction,” he said.

“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers.

“Beyond what organisations can do to safeguard themselves, we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cyber security. The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.