
What’s in the 2023–24 New South Wales budget for your organisation?
Posted on 27 Sep 2023
Treasurer Daniel Mookey handed down the New South Wales budget on Tuesday, September 19, 2023.
Posted on 27 Sep 2023
By Matthew Schulz, journalist, Institute of Community Directors Australia
Authorities have warned organisations to be wary of relying on third-party providers who have access to their data, as the shockwaves continue from a huge fundraising breach that has affected an estimated 70 Australian and New Zealand charities.
The Pareto Phone ransomware attack led to 150GB of data being copied from the Brisbane-based charity telemarketer’s systems.
More than 320,000 files and the data of at least 50,000 donors were dumped on the dark web after LockBit ransomware operatives stole the data in April, before publishing the information in early August.
Internal documents, contracts, emails, financial information, and personal staff details from the telemarketer – which makes calls on behalf of charities – were compromised. Scores of the country’s biggest charities continue to emerge as victims.
Among the worst hit were WWF Australia (20,500 donors), the Australian Conservation Foundation (13,500 donors), and Plan International Australia (8,000 donors). Some organisations are understood to be considering legal action or seeking compensation from Pareto Phone.
It is understood that this week Pareto Phone provided charities with further detail about the data leak after commissioning a forensic examination of the data by external auditors KPMG.
Many organisations were told of additional donors being affected, while others learnt that they had escaped unscathed. The full report was not provided to charities, despite requests. Pareto Phone did not respond to requests for comment about the findings.
In the wake of the attack, Australia’s privacy watchdog (the Office of the Australian Information Commissioner [OAIC]), Fundraising Institute Australia, the Australian Securities and Investments Commission (ASIC), and the Australian Charities and Not-for-profits Commission (ACNC) have each issued warnings to organisations to take greater care when dealing with third-party operators with access to personal data.
New Zealand’s Office of the Privacy Commissioner this week also confirmed it had been alerted to the breach by Pareto Phone. A spokesperson said: “Our focus has been to provide agencies … advice on how to minimise the harm caused by the breach.”
Other peak bodies, such as the Community Council for Australia (CCA) and the Australian Council for International Development (ACFID), are also working together to protect the sector and lobby for greater support.
“We have no intention of using Pareto Phone’s services again.” - CBM Australia chief executive Jane Edge
Many affected organisations have cut ties with Pareto Phone and complained to the OAIC or the FIA that the third-party fundraiser appeared to have breached data protection guidelines by holding on to data for many more years than was necessary.
Leading environmental advocate Greenpeace this week said that while only “a very small proportion” of its donor base was affected, it was “deeply disappointed” by the breach.
“We had expected Pareto Phone to destroy data in alignment with relevant regulations, which it has failed to do, so we’re very disappointed in this, as protecting the privacy of our supporters is of utmost importance to us,” a spokesperson said.
Other organisations, including Mission Australia and Red Cross Australia, this week stressed that even though they had been named in connection to the hack, their donor information had not been breached.
“At Mission Australia, we are always taking steps to improve and strengthen our protections to limit the risk of similar occurrences,” a Mission Australia spokesperson said.
Smaller charities such as CBM Australia, which helps people with disabilities overseas, have been working hard to improve their systems since first learning of a potential breach in April.
CBM CEO Jane Edge said 797 supporters had been affected, and although the breached data did not include financial information, in some cases names, emails, addresses and dates of birth had been disclosed. The organisation had ceased activities with Pareto and demanded it delete all CBM-related data.
She said CBM had been “heavily engaged with our own cyber experts and with Pareto to identify the nature of the files compromised on Pareto’s systems, and to press for timely details and appropriate action”.
“We have no intention of using Pareto Phone’s services again.”
While the OAIC has yet to launch a formal investigation and continues preliminary inquiries, its latest data breach report (January–June 2023) highlighted serious concerns about third-party providers, particularly when it came to data breaches affecting many parties.
According to the report, the watchdog had “observed an increase in the number of data breaches affecting more than one entity”. And it warned, “There are significant risks with outsourcing the handling of personal information to service providers and contractors.”
It said organisations should ensure any providers had strong information governance frameworks that adhered to the Australian Privacy Principles.
The report said the latest 409 data breaches represented a 16% drop on the previous six months, but that three breaches had affected more than one million people each, including one that affected more than 10 million Australians.
These included the huge Medibank hack (more than 10 million) and an Optus breach that affected more than 2 million people. The report did not capture the more recent Latitude Financial, which affected an estimated 14 million people.
OAIC commissioner Angelene Falk said, “Our latest Australian Community Attitudes to Privacy Survey found Australians view data breaches as the biggest privacy risk.”
Following questions by the Community Advocate, the OAIC confirmed there had been 25 notifiable data breaches affecting the charity sector for the full 2022–2023 year, comprising:
Since breach reports were made compulsory in 2018, charities have not figured in the top five most targeted sectors for “notifiable data breaches”. Where previous reports found that charities and not-for-profits were more susceptible to human error breaches than other sectors – such breaches include emails sent to the wrong people – the latest report showed malicious and criminal attacks were now more common.
Organisations most affected by data breaches in the most recent report were:
The chair of the Australian Securities and Investments Commission (ASIC), which registers not-for-profit companies, said boards must make cyber security and resilience a top priority, and failing to have adequate measures in place could expose directors to penalties.
Joe Longo, delivering a keynote address at a cyber summit this month, said the mass hacks that hit Optus and Medibank last year had been a “wake up call” for many organisations, but that the costs of cybercrime were still predicted to grow by a factor of 13 by 2031.
He stressed two key lessons for every leader:
In terms of vulnerability, he said, “Cyber preparedness is not simply a question of having impregnable systems. That’s not possible. Instead, while preparedness must include security, it must also involve resilience, meaning the ability to respond and weather a significant cyber security incident.”
Referring to the second lesson, Mr Longo said, “none of us has control over the security of a third-party provider”.
“If we rely solely on the security measures those providers have in place, we leave a wide opening for a data breach if those measures are compromised.”
He said breaches involving Latitude Financial, Perpetual and MOVEit were all linked to third-party systems.
Reliance on third parties for data security was “a serious weakness”, Mr Longo said.
He said ASIC’s early investigations showed that “one of the weakest links in cyber preparedness is third-party suppliers, vendors, and managed service providers”, with nearly half of a yet-to-be-released survey’s respondents not managing third-party risk.
He urged organisations to review providers and evaluate risks, but warned there was currently a “disconnect” between board oversight of cyber risk, management reporting of those risks to boards, identification and assessment of risks, and implementing controls.
“Cyber security and resilience are not merely technical matters on the fringes of directors’ duties,” he said.
“For all boards, cyber security and cyber resilience have got to be top priorities. If boards do not give cyber security and cyber resilience sufficient priority, this creates a foreseeable risk of harm to the company and thereby exposes the directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence.
“If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself. And recent events show that you will suffer for it. Don’t put yourself in that position,” Mr Longo said.
"If you’re not evaluating your third-party cyber security risk, you’re deceiving yourself" - Joe Longo, ASIC
The Australian Charities and Not-for-profits Commission (ACNC) has previously advised charities to conduct due diligence to check the policies, processes and practices of fundraising agencies before entering into agreements with them.
Third parties should have policies for data protection (including financial information security), for managing risk, and for effectively responding in the event of a cybersecurity attack, or data breach, a spokesperson said.
Plan International Australia is among the organisations to have complained to Australia’s fundraising peak body, Fundraising Institute Australia (FIA), about potential breaches by Pareto Phone.
FIA chief executive Katherine Raskob said, “FIA is keenly aware of the recent security breaches and incidents affecting the charitable sector.”
“As the peak body for professional fundraising, we believe it is our role to do all we can to provide support and assistance when incidents such as this occur.”
While unable to discuss any complaints – which were treated confidentially – she said any investigations would be assessed by the FIA Code Authority, which oversees the “self-regulatory framework for best practice fundraising” as laid out in the FIA Code.
The code states: “Members will ensure that appropriate security measures are in place to protect donor information at all times.”
The code requires members’ contracts with all parties in the supply chain to comply with all relevant laws and regulations. It also requires contracted third-party organisations to be aware of member obligations and to avoid actions that could result in a member breaching the code.
Ms Raskob said FIA members were also considered to be compliant when meeting the guidelines laid out by the Australian Signals Directorate and the Digital Transformation Hub’s cyber security essentials.
She said complaints could be lodged at code@fia.org.au.
Ms Raskob said the FIA was working with the Public Fundraising Regulatory Association (PFRA), the Community Council for Australia (CCA), and the Australian Council for International Development (ACFID) on “short- and long-term initiatives to support [FIA] members and the sector” in understanding legal obligations under the Australian Privacy Principles.
Those initiatives included the development of new resources to guide members and the sector in relation to data security obligations and standards, and lobbying for funded support from the government.
The Community Council for Australia (CCA) has told this masthead that despite the Australian government’s promise to create six “shields” in its new cyber security strategy, charities and not-for-profits did not seem to be a priority.
In a commentary last week for the Community Advocate, CCA head David Crosbie said the sector was hampered by a lack of technology, training and funding and was vulnerable.
“It seems the sector is a sitting duck for bad actors seeking to disrupt and capitalise on weak cyber security.”
Figures from Infoxchange research into NFP technology use backs up the claim, with more than half of NFPs failing to provide cybersecurity training to staff, and 45% without a breach response plan.
He said that Oxfam and the Smith Family recently outlined their experience of damaging cyber attacks, which occurred despite both organisations having well-developed cyber defence systems.
Those organisations spent “hundreds of thousands of dollars” addressing the hacks and handling the reputational fall-out.
“No matter how well prepared you think you are, an attack is a case of when, not if,” Mr Crosbie wrote.
The CCA wrote to the Prime Minister in August to warn that “charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber-attacks”, but is still waiting on a response.
During Not-for-profit Finance Week, the Commonwealth Bank’s state manager for transactional banking in Victoria and Tasmania, Gary Doyle, described how some not-for-profits were preparing for the inevitable attacks with recognised strategies. One cybersecurity framework encourages organisations to: “identify and protect assets, detect incidents, respond with appropriate plan, then recover normal operations”. To learn more, watch the 45-minute Cyber Update for Not-for-profits webinar, available on replay until October 31.
Know more? Contact matthews@ourcommunity.com.au
Posted on 27 Sep 2023
Treasurer Daniel Mookey handed down the New South Wales budget on Tuesday, September 19, 2023.
Posted on 27 Sep 2023
Authorities have warned organisations to be wary of relying on third-party providers who have…
Posted on 19 Sep 2023
The Albanese government has acted on its election promise to create a “stronger more diverse and…
Posted on 14 Sep 2023
The Australian government has moved to expand eligibility for deductible gift recipient (DGR)…
Posted on 14 Sep 2023
The nation’s top community treasurers have boosted the bank balances of their organisations after…
Posted on 05 Jul 2023
The ACT Chief Minister and Treasurer Andrew Barr handed down the territory budget on June 27, 2023.
Posted on 21 Jun 2023
Treasurer Stephen Mullighan handed down the South Australian budget on June 15, 2023.
Posted on 14 Jun 2023
Treasurer Cameron Dick handed down the Queensland budget on June 13, addressing the rising cost of…
Posted on 06 Jun 2023
Treasurer Michael Ferguson released the Tasmanian 2023–24 budget on May 25 with the motto ‘Building…
Posted on 01 Jun 2023
The level of inequality in Australia has increased markedly over the past seven years, according to…
Posted on 24 May 2023
Treasurer Tim Pallas handed down the Victorian budget on May 23 amid concerns that hundreds of…
Posted on 17 May 2023
Reversing the slide in volunteer numbers, reducing red tape, addressing cyber security threats to…
Posted on 16 May 2023
WA Premier Mark McGowan handed down his third state budget on May 11, 2023. Highlights for…
Posted on 15 May 2023
Northern Territory treasurer Eva Lawler handed down her inaugural Territory budget on May 9, 2023.…
Posted on 11 May 2023
Australian not-for-profits and charities are expected to do much of the heavy lifting when it comes…
Posted on 11 May 2023
Our Community’s giving platform, GiveNow, is preparing for its annual end-of-financial- year…
Posted on 10 May 2023
Stay in touch with news, information, and politics affecting the community sector.
Posted on 10 May 2023
Federal Treasurer Jim Chalmers handed down his second budget as treasurer in the Albanese…
Posted on 12 Apr 2023
Australian community organisations are on tenterhooks amid fears of tightening state and federal…
Posted on 15 Mar 2023
Social marketer Brett de Hoedt is a man of 1000 opinions, and he’s here to share his knowledge…
Posted on 14 Feb 2023
Small and medium not-for-profits, those that turn over less than $0.5 million and less than $3m a…
Posted on 02 Feb 2023
The go-to tool for grantmakers, SmartyGrants, has developed a platform for grantseekers too.
Posted on 01 Feb 2023
Australian not-for-profits must continue to work hard to adapt to a world facing endemic covid-19,…
Posted on 14 Dec 2022
Not-for-profits are transforming the way they use technology in the wake of the Covid-19 pandemic,…
Posted on 06 Dec 2022
There are fewer grants on offer as the year draws to a close, giving grantseekers an opportunity to…
Posted on 01 Dec 2022
Most small not-for-profits don’t need to worry about the advent of director IDs, now required by…
Posted on 23 Nov 2022
The community sector has reacted with glee to the appointment of a self-confessed not-for-profit…
Posted on 14 Nov 2022
Human error is a weak point for Australian charities and educators affected by data breaches,…
Posted on 03 Nov 2022
This page provides information about financial assistance available to not-for-profit organisations…
Posted on 02 Nov 2022
Treasurer Jim Chalmers handed down a “bread and butter” budget last Tuesday, his first as treasurer…
Posted on 09 Aug 2022
ACT Chief Minister and Treasurer Andrew Barr handed down the Territory’s budget on August 2, 2022.
Posted on 04 Aug 2022
Data is the buzz word of the decade: the information age is generating more of it than Tim…
Posted on 27 Jun 2022
Queensland Treasurer Cameron Dick handed down his third state budget for the Palaszczuk government…
Posted on 27 Jun 2022
New South Wales Treasurer Matt Kean handed down the state budget on July 21, 2022, taking over from…
Posted on 07 Jun 2022
South Australian Treasurer Stephen Mullighan handed down his first budget on June 2, 2022.
Posted on 01 Jun 2022
South Australian Treasurer Stephen Mullighan handed down his first budget on June 2, 2022.
Posted on 11 May 2022
Australian grantmakers are on a mission to make the world a better place, but how successful are…
Posted on 04 May 2022
Victorian Treasurer Tim Pallas handed down a ‘Putting patients first’ state budget on May 3, with a…
Posted on 05 Apr 2022
Treasurer Josh Frydenberg's 2022-23 federal budget addressed key issues expected to be covered in…
Posted on 24 Feb 2022
We’re writing to let you know about an exciting change happening at the Funding Centre. We’ve…
Posted on 23 Feb 2022
Executive director of GiveNow, Cathy Truong provides tips on how your organisation might prepare…
Posted on 11 Feb 2022
A landmark study into more than $6 billion in grants funding over eight years involving more than…
Posted on 08 Feb 2022
We've just added an exciting new feature to the Funding Centre website that will help you narrow…
Posted on 31 Jan 2022
Grantmakers are not keeping up with the demand for funding for information and communications…
Posted on 14 Dec 2021
An analysis of more than 500,000 SmartyGrants grant applications, representing at least $6 billion…
Posted on 25 Nov 2021
Despite all the warnings about postal delays and supply issues across Australia, many organisations…
Posted on 17 Nov 2021
For the first time, grants watchers can go to one place to track how billions of dollars’ worth of…
Posted on 15 Sep 2021
As the head of a small organisation with "big ambitions", former ABC broadcaster and accomplished…
Members Only
Posted on 13 Aug 2021
Here's a summary about the latest batch of improvements to the Funding Centre. Narrow search…
Posted on 22 Jul 2021
Data scientist Nathan Mifsud has delivered a lightning-quick presentation on what modern data teams…
Posted on 28 Apr 2021
Amid growing calls to change the date of Australia Day and the move to increase recognition of the…
Posted on 20 Apr 2021
Catherine Brooks, Community Directors Council member and senior advisor at Wendy Brooks &…
Posted on 07 Apr 2021
Learn how to use the Funding Centre website and its associated tools and how to build your own…
Posted on 15 Mar 2021
Not-for-profit data experts Seer Data & Analytics say there are good reasons why for-purpose…
Members Only
Posted on 09 Dec 2020
The Institute of Community Directors has always maintained that having diverse funding sources is…
Posted on 08 Oct 2020
The latest addition to our Policy Bank is a fully revised privacy policy template.
Posted on 07 Oct 2020
We've pored over the federal budget to find out what's in it for your organisation.
Posted on 11 Sep 2020
Social enterprise Our Community (“where not-for-profits go for help”) has described recommendations…
Posted on 01 Sep 2020
Amid criticism over bushfire fundraising and spending, charities need to "tell their story" better,…
Posted on 15 Apr 2020
When a crisis hits, it's not uncommon for people and organisations to become paralysed by fear and…
Posted on 20 Jan 2020
Australia's devastating bushfires have led to an outpouring of generosity from across the globe.…
Posted on 08 Jan 2020
A national study of fundraising trends during Australia's bushfire crisis has highlighted the new…
Posted on 05 Dec 2019
A study of the recent Giving Tuesday campaign (December 3) has shown that more than half of…
Posted on 03 Apr 2019
We’ve trawled through the budget papers to discover grants news that could affect you.
Posted on 17 Oct 2017
Our Community's thinker-in-residence, Chris Borthwick, casts a close eye over the financial…
Posted on 15 Jul 2017
If you're a community group in financial trouble, you have to make a choice about publicity.