Share this article on:
Legacy Australia, the charity responsible for providing assistance to Australian military veterans, has issued a statement saying that some of its donors may have had their data leaked on the dark web.
The organisation, which provides services and assistance to over 40,000 veteran’s families including widows and dependents, has said that its “Legacy Clubs have previously worked with Pareto and personal information of a small number of our donors may have been compromised”.
“Those donors whose personal information may have been compromised have been contacted by Legacy.”
Not much more is known at this stage as to what data may have been compromised or how many donors may now have their data on the dark web, but the organisation has expressed its distaste with the breach.
“Legacy is disappointed that this section of our supporters may have been impacted by this data breach.”
The attack hit Brisbane-based telemarketing firm Pareto Phone back in April. The company is responsible for reaching out for donations on behalf of a number of major charities.
Following the hack, the data of donors across multiple charities was leaked on the dark web. While at this stage, it is unknown how many donors or charities have been compromised, with Pareto Phone responsible for more than 70 charities.
The Pareto Phone data was first listed by LockBit on its leak site on 31 July, with the group listing a deadline of 7 August. While not explicitly stated, LockBit had likely reached out to Pareto Phone demanding a ransom payment for the deletion and/or decryption of the stolen data, based on the criminal groups previous activities.
The threat group said it had stolen 150 gigabytes of personal data and that if terms were not met, the data would be released on 7 August 2023.
“FILES ARE PUBLISHED,” said the group on its dark web leak site, seen by Cyber Security Connect.
While it is unclear whether all of Pareto Phone’s charities have been affected, the number of charities announcing that their data has been compromised is likely to grow.
The breach raises concerns regarding data retention, with some of the data listed dating back to as early as 2007.
Professor Nigel Phair, department of software systems and cybersecurity, faculty of information technology, has said that organisations need to be careful when using third-party providers and should ensure that data is deleted.
“The best way for organisations not to have a data breach is for them to delete customer-identifying information post-transaction,” he said.
“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers.
“Beyond what organisations can do to safeguard themselves, we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cyber security. The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified.”