Mass charities data breach prompts warnings about outsourcing fundraising

The Pareto Phone ransomware attack led to 150GB of data being copied from the Brisbane-based charity telemarketer’s systems.

More than 320,000 files and the data of at least 50,000 donors were dumped on the dark web after LockBit ransomware operatives stole the data in April, before publishing the information in early August.

Internal documents, contracts, emails, financial information, and personal staff details from the telemarketer – which makes calls on behalf of charities – were compromised. Scores of the country’s biggest charities continue to emerge as victims.

Among the worst hit were WWF Australia (20,500 donors), the Australian Conservation Foundation (13,500 donors), and Plan International Australia (8,000 donors). Some organisations are understood to be considering legal action or seeking compensation from Pareto Phone.

It is understood that this week Pareto Phone provided charities with further detail about the data leak after commissioning a forensic examination of the data by external auditors KPMG.

Many organisations were told of additional donors being affected, while others learnt that they had escaped unscathed. The full report was not provided to charities, despite requests. Pareto Phone did not respond to requests for comment about the findings.

In the wake of the attack, Australia’s privacy watchdog (the Office of the Australian Information Commissioner [OAIC]), Fundraising Institute Australia, the Australian Securities and Investments Commission (ASIC), and the Australian Charities and Not-for-profits Commission (ACNC) have each issued warnings to organisations to take greater care when dealing with third-party operators with access to personal data.

New Zealand’s Office of the Privacy Commissioner this week also confirmed it had been alerted to the breach by Pareto Phone. A spokesperson said: “Our focus has been to provide agencies … advice on how to minimise the harm caused by the breach.”

Other peak bodies, such as the Community Council for Australia (CCA) and the Australian Council for International Development (ACFID), are also working together to protect the sector and lobby for greater support.

Affected organisations still reeling from attack

Many affected organisations have cut ties with Pareto Phone and complained to the OAIC or the FIA that the third-party fundraiser appeared to have breached data protection guidelines by holding on to data for many more years than was necessary.

Leading environmental advocate Greenpeace this week said that while only “a very small proportion” of its donor base was affected, it was “deeply disappointed” by the breach.

“We had expected Pareto Phone to destroy data in alignment with relevant regulations, which it has failed to do, so we’re very disappointed in this, as protecting the privacy of our supporters is of utmost importance to us,” a spokesperson said.

Other organisations, including Mission Australia and Red Cross Australia, this week stressed that even though they had been named in connection to the hack, their donor information had not been breached.

“At Mission Australia, we are always taking steps to improve and strengthen our protections to limit the risk of similar occurrences,” a Mission Australia spokesperson said.

Smaller charities such as CBM Australia, which helps people with disabilities overseas, have been working hard to improve their systems since first learning of a potential breach in April.

CBM CEO Jane Edge said 797 supporters had been affected, and although the breached data did not include financial information, in some cases names, emails, addresses and dates of birth had been disclosed. The organisation had ceased activities with Pareto and demanded it delete all CBM-related data.

She said CBM had been “heavily engaged with our own cyber experts and with Pareto to identify the nature of the files compromised on Pareto’s systems, and to press for timely details and appropriate action”.

“We have no intention of using Pareto Phone’s services again.”

Privacy report shows breaches affect millions

While the OAIC has yet to launch a formal investigation and continues preliminary inquiries, its latest data breach report (January–June 2023) highlighted serious concerns about third-party providers, particularly when it came to data breaches affecting many parties.

According to the report, the watchdog had “observed an increase in the number of data breaches affecting more than one entity”. And it warned, “There are significant risks with outsourcing the handling of personal information to service providers and contractors.”

It said organisations should ensure any providers had strong information governance frameworks that adhered to the Australian Privacy Principles.

The report said the latest 409 data breaches represented a 16% drop on the previous six months, but that three breaches had affected more than one million people each, including one that affected more than 10 million Australians.

These included the huge Medibank hack (more than 10 million) and an Optus breach that affected more than 2 million people. The report did not capture the more recent Latitude Financial, which affected an estimated 14 million people.

OAIC commissioner Angelene Falk said, “Our latest Australian Community Attitudes to Privacy Survey found Australians view data breaches as the biggest privacy risk.”

Charity sector hit by 25 data breaches in past year

Following questions by the Community Advocate, the OAIC confirmed there had been 25 notifiable data breaches affecting the charity sector for the full 2022–2023 year, comprising:

• 18 malicious or criminal attacks
• six cases of human error
• one case of system failure.

Since breach reports were made compulsory in 2018, charities have not figured in the top five most targeted sectors for “notifiable data breaches”. Where previous reports found that charities and not-for-profits were more susceptible to human error breaches than other sectors – such breaches include emails sent to the wrong people – the latest report showed malicious and criminal attacks were now more common.

Organisations most affected by data breaches in the most recent report were:

• health service providers (63 breaches)
• finance industry operators such as banks, wealth managers, financial advisors, super funds, and credit providers (54)
• recruitment agencies (33)
• legal, accounting and management services (26)
• insurance providers (25).

Using third parties for data needs is always a risk: ASIC

The chair of the Australian Securities and Investments Commission (ASIC), which registers not-for-profit companies, said boards must make cyber security and resilience a top priority, and failing to have adequate measures in place could expose directors to penalties.

Joe Longo, delivering a keynote address at a cyber summit this month, said the mass hacks that hit Optus and Medibank last year had been a “wake up call” for many organisations, but that the costs of cybercrime were still predicted to grow by a factor of 13 by 2031.

He stressed two key lessons for every leader:

• “First, every system is vulnerable, and we must plan for that.”
• “Second, reliance on third-party providers is always a risk.”

In terms of vulnerability, he said, “Cyber preparedness is not simply a question of having impregnable systems. That’s not possible. Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”

Referring to the second lesson, Mr Longo said, “none of us has control over the security of a third-party provider”.

“If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised.”

He said breaches involving Latitude Financial, Perpetual and MOVEit were all linked to third-party systems.

Reliance on third parties for data security was “a serious weakness”, Mr Longo said.

He said ASIC’s early investigations showed that “one of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers”, with nearly half of a yet-to-be-released survey’s respondents not managing third-party risk.

He urged organisations to review providers and evaluate risks, but warned there was currently a “disconnect” between board oversight of cyber risk, management reporting of those risks to boards, identification and assessment of risks, and implementing controls.

“Cyber security and resilience are not merely technical matters on the fringes of directors’ duties,” he said.

“For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.

“If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it. Don’t put yourself in that position,” Mr Longo said.

ACNC urges orgs to conduct due diligence

The Australian Charities and Not-for-profits Commission (ACNC) has previously advised charities to conduct due diligence to check the policies, processes and practices of fundraising agencies before entering into agreements with them.

Third parties should have policies for data protection (including financial information security), for managing risk, and for effectively responding in the event of a cybersecurity attack, or data breach, a spokesperson said.

Fundraising peak body developing cyber resources

Plan International Australia is among the organisations to have complained to Australia’s fundraising peak body, Fundraising Institute Australia (FIA), about potential breaches by Pareto Phone.

FIA chief executive Katherine Raskob said, “FIA is keenly aware of the recent security breaches and incidents affecting the charitable sector.”

“As the peak body for professional fundraising, we believe it is our role to do all we can to provide support and assistance when incidents such as this occur.”

While unable to discuss any complaints – which were treated confidentially – she said any investigations would be assessed by the FIA Code Authority, which oversees the “self-regulatory framework for best practice fundraising” as laid out in the FIA Code.

The code states: “Members will ensure that appropriate security measures are in place to protect donor information at all times.”

The code requires members’ contracts with all parties in the supply chain to comply with all relevant laws and regulations. It also requires contracted third-party organisations to be aware of member obligations and to avoid actions that could result in a member breaching the code.

Ms Raskob said FIA members were also considered to be compliant when meeting the guidelines laid out by the Australian Signals Directorate and the Digital Transformation Hub’s cyber security essentials.

She said complaints could be lodged at [email protected].

Ms Raskob said the FIA was working with the Public Fundraising Regulatory Association (PFRA), the Community Council for Australia (CCA), and the Australian Council for International Development (ACFID) on “short- and long-term initiatives to support [FIA] members and the sector” in understanding legal obligations under the Australian Privacy Principles.

Those initiatives included the development of new resources to guide members and the sector in relation to data security obligations and standards, and lobbying for funded support from the government.

CCA says feds are ignoring pleas for help

The Community Council for Australia (CCA) has told this masthead that despite the Australian government’s promise to create six “shields” in its new cyber security strategy, charities and not-for-profits did not seem to be a priority.

In a commentary last week for the Community Advocate, CCA head David Crosbie said the sector was hampered by a lack of technology, training and funding and was vulnerable.

“It seems the sector is a sitting duck for bad actors seeking to disrupt and capitalise on weak cyber security.”

Figures from Infoxchange research into NFP technology use backs up the claim, with more than half of NFPs failing to provide cybersecurity training to staff, and 45% without a breach response plan.

He said that Oxfam and the Smith Family recently outlined their experience of damaging cyber attacks, which occurred despite both organisations having well-developed cyber defence systems.

Those organisations spent “hundreds of thousands of dollars” addressing the hacks and handling the reputational fall-out.

“No matter how well prepared you think you are, an attack is a case of when, not if,” Mr Crosbie wrote.

The CCA wrote to the Prime Minister in August to warn that “charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber-attacks”, but is still waiting on a response.

During Not-for-profit Finance Week, the Commonwealth Bank’s state manager for transactional banking in Victoria and Tasmania, Gary Doyle, described how some not-for-profits were preparing for the inevitable attacks with recognised strategies. One cybersecurity framework encourages organisations to: “identify and protect assets, detect incidents, respond with appropriate plan, then recover normal operations”. To learn more, watch the 45-minute Cyber Update for Not-for-profits webinar, available on replay until October 31.

Know more? Contact [email protected]