iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Major humanitarian aid charity Australian Red Cross has denied that customer data was involved in the recent Pareto Phone breach that has affected a substantial number of Australian charities.
Hundreds of lines of data referring to Australian Red Cross, including invoices and conversion reports, were listed on the dark web by the cyber criminal organisation claiming responsibility for the breach, LockBit.
Speaking with Cyber Security Connect, a spokesperson from Australian Red Cross said the organisation had been advised that no donor data has been affected.
The attack hit Brisbane-based telemarketing firm Pareto Phone back in April. The company is responsible for reaching out for donations on behalf of a number of major charities.
Following the hack, the data of donors across multiple charities was leaked on the dark web. While at this stage, it is unknown how many donors or charities have been compromised, with Pareto Phone responsible for more than 70 charities.
The Pareto Phone data was first listed by LockBit on its leak site on 31 July, with the group listing a deadline of 7 August. While not explicitly stated, LockBit had likely reached out to Pareto Phone demanding a ransom payment for the deletion and/or decryption of the stolen data, based on the criminal groups previous activities.
The threat group said it had stolen 150 gigabytes of personal data and that if terms were not met, the data would be released on 7 August 2023.
“FILES ARE PUBLISHED,” said the group on its dark web leak site, seen by Cyber Security Connect.
While it is unclear whether all of Pareto Phone’s charities have been affected, the number of charities announcing that their data has been compromised is likely to grow.
The breach raises concerns regarding data retention, with some of the data listed dating back to as early as 2009.
Professor Nigel Phair, department of software systems and cybersecurity, faculty of information technology, has said that organisations need to be careful when using third-party providers and should ensure that data is deleted.
“The best way for organisations not to have a data breach is for them to delete customer-identifying information post-transaction,” he said.
“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers.
“Beyond what organisations can do to safeguard themselves, we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cyber security. The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified.”
Be the first to hear the latest developments in the cyber industry.
