Thousands of generous Australians who supported charities including the Cancer Council, the Fred Hollows Foundation, the Australian Conservation Foundation and Canteen have had their personal information leaked to the dark web following a cyber attack on a telemarketing company.
The breach involves more than 70 charities and has raised serious concerns about the security of donor data and the role of third-party fundraisers in handling sensitive information.
The affected charities all used Pareto Phone, a Brisbane-based telemarketing firm, to collect donations, the ABC is reporting. While not all charities associated with Pareto Phone were affected, several organisations have confirmed that donor information has been published on the dark web.
Data made public includes names, addresses and tax file numbers.
The Fred Hollows Foundation has disclosed that around 1700 of its donors were affected and expressed its disappointment with Pareto Phone’s handling of donor data.
“We worked with Pareto Phone only during 2013 and 2014,” the company said in a statement.
“We were not aware our data was still held by them.”
‘De-identifying’ data laws
Under Australian privacy law, businesses must destroy or at least ‘de-identify’ (strip the data of any information that could reveal who the data belongs to once it is no longer needed for the purpose for which it was collected.
“This is a requirement all our partners must comply with and we have requested Pareto Phone delete any remaining data on our donors,” the foundation says.
Another charity using Pareto Phone, Médecins Sans Frontières (MSF), also accused the company of retaining personal information.
“Under the Australian Privacy Principles, organisations must take reasonable steps to destroy personal information data that is no longer required.
“MSF has not worked with Pareto Phone for almost five years.”
MSF says it has informed the Office of the Australian Information Commissioner and the NZ Privacy Commissioner about the data breach and will work with them to protect donor data.
Charities a hot favourite
Cybercriminals and scammers are increasingly targeting charities, and in Australia those aged between 55 and 65 are the most likely to end up losing money to a charity-based scam or data breach.
Pareto Phone CEO Chris Smedley has apologised for the distress the breach had caused and said the company was working urgently with forensic data specialists to analyse the affected files.
“We have not at this stage identified any identity documents such as tax file numbers, driver licences and passports about any donor,” he said.
At this stage, Pareto Phone continues to make calls on behalf of charities and says it is committed to protecting information held on their behalf.
Managing director of global technology firm Waterstons Australia, Charlie Hales, told the ABC that Australia’s rules on how long to keep, and when to delete data, are “woolly”.
“There aren’t any rules about deleting the data within a period of time,” she said. “There are rules around retaining some information but not deleting it.”
Have you donated to charity in the past 12 months? Are you concerned for your data? Let us know in the comments section below.
Also read: Bank customers a step closer to protection from scams?
It would be helpful to provide a list of those charities affected.
I understand peoples concerns about this happening, but wonder why would either the charities, or Paretto Phone have individual tax file numbers. Yes, you can legitimately claim tax back on on approved donation, but that is between you and the ATO. There should be no reason for them to also require your tax file number. If any charity ever asked me for mine, my reply would be, if that is a requirement, then you don’t get a donation. In any case, I never respond to any call centres requesting charitable donations any more because of the current high levels of hacking happening.
Maybe its time to compel senior executives of these companies even charities who get paid very well, to earn their pay and do their job so the public can feel safe in providing personal data which is demanded of them. Let’s make it a criminal offence punishable by time in jail to retain client information ONLINE or previous customers’ data beyond that which is required for normal business functions.