The victim list of an April data breach of a Brisbane-based telemarketing firm serving the not-for-profit sector is widening, with more charities confirming exposure to the incident.
The ABC reported Wednesday that Pareto Phone had been breached but that not all of its 70-plus clients were affected.
Still the number of organisations caught up continues to expand, with Amnesty International Ausralia (AIA) the latest large charity to confirm exposure.
AIA also provided a timeline for the attack in a detailed statement released late last night.
It was first made aware of the incident – “involving unauthorised access” to Pareto Phone’s systems in April.
“At that time, Pareto Phone assured Amnesty and its other charity partners that there was no evidence to suggest that donor data had been downloaded or taken,” AIA said.
“We were advised that the files accessed related to campaign background and briefing documents which do not contain personal information.”
Pareto has since had forensic and cyber security investigators working to determine the extent of the breach.
That led to revised guidance from Pareto Phone to AIA earlier this month “that some of our supporters’ information may be impacted.”
AIA said it then started its “own forensic analysis”.
“Our investigation indicates that some of our supporter data was involved, but is limited to basic details and contact information, which is understood to present a low risk of misuse,” the charity said.
It said stolen details included “name, physical address, email, mobile and date of birth”, but not financial information.
AIA said it had initially suspended work with Pareto Phone in April but resumed in May “after receiving assurances … that donor data had not been taken”. It has since suspended use of the company again.
Some of the data exposed is historical, involving not-for-profits that had not used Pareto for a number of years.
Médecins Sans Frontières said its exposure to the incident is data from 2012 to 2015.
The Australian Conservation Foundation (ACF) also suggested its exposure to the incident involved historical data, and impacted 13,500 supporters’ personal information.
“We care about our supporters, so we are dismayed that the personal information of some of them has been compromised by a service provider,” ACF said.
“We trusted Pareto with our supporters’ personal information so the company could help us raise funds to continue our environmental protection and advocacy work.
“We are concerned Pareto kept old data it should have destroyed. We are suspending our relationship with Pareto immediately.”
Children’s Cancer Institute said it had engaged Pareto Phone’s services “within the periods of 2006-2008 and 2016-2017.”
Its exposure is limited to “internal administrative files only and are of no risk to our donors and supporters.”
WWF-Australia has also listed exposure.