Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

13,500 Australian Conservation Foundation donors have data leaked on dark web

The country’s national environmental organisation, the Australian Conservation Foundation (ACF), has announced that the Pareto Phone data breach has resulted in the data of 13,500 of its donors being leaked on the dark web.

user icon Daniel Croft
Thu, 24 Aug 2023
13,500 Australian Conservation Foundation donors have data leaked on dark web
expand image

The charity has said it is saddened by the news that the breach had resulted in so many of its generous donors having their data leaked online.

“We trusted Pareto with our supporters’ personal information so the company could help us raise funds to continue our environmental protection and advocacy work,” a spokesperson for the ACF said.

The ACF has said that the data leaked included names, addresses, email address, and birth dates but that as far as it is aware, no financial information had been leaked.

============
============

We understand no ACF supporters’ credit card information or identifying documents are involved, the spokesperson added.

In addition, the charity has said that there is currently no evidence that the data of its donors has been misused, and that its own systems remain intact.

The 13,500 affected donors are being contacted by the ACF.

“We are very sorry this has happened.”

The charity has expressed frustration with Pareto Phone’s holding of data, saying it had used the telemarketing service over a number of years.

We are concerned that Pareto kept old data it should have destroyed,” the spokesperson said.

The ACF has said that it has now suspended its relationship with the telemarketer.

The attack hit Brisbane-based telemarketing firm Pareto Phone back in April. The company is responsible for reaching out for donations on behalf of a number of major charities.

Following the hack, the data of donors across multiple charities was leaked on the dark web. While at this stage, it is unknown how many donors or charities have been compromised, with Pareto Phone responsible for more than 70 charities.

The Pareto Phone data was first listed by LockBit on its leak site on 31 July, with the group listing a deadline of 7 August. While not explicitly stated, LockBit had likely reached out to Pareto Phone demanding a ransom payment for the deletion and/or decryption of the stolen data, based on the criminal groups previous activities.

The threat group said it had stolen 150 gigabytes of personal data and that if terms were not met, the data would be released on 7 August 2023.

“FILES ARE PUBLISHED,” said the group on its dark web leak site, seen by Cyber Security Connect.

While it is unclear whether all of Pareto Phone’s charities have been affected, the number of charities announcing that their data has been compromised is likely to grow.

The breach raises concerns regarding data retention, with some of the data listed dating back to as early as 2007.

Professor Nigel Phair, department of software systems and cybersecurity, faculty of information technology, has said that organisations need to be careful when using third-party providers and should ensure that data is deleted.

“The best way for organisations not to have a data breach is for them to delete customer identifying information post-transaction," he said.

“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers.

“Beyond what organisations can do to safeguard themselves, we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cyber security. The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.