Why your supporters are wealthier than you expect. Course details.

Cyberattack on Australia-based telemarketing group put donor data on dark web

Melanie May | 29 September 2023 | News

Brisbane-based Pareto Phone was hacked in April this year, affecting up to 70 charities across Australia and New Zealand and tens of thousands of their donors.

According to reports (including here and here), while Pareto Phone first told charities that there was no evidence data had been downloaded or taken, it came to light this summer that the ransomware group responsible, LockBit, had in fact taken donor data and put it on the dark web. One of the charities involved, the Australian Conservation Foundation, said 13,500 of its supporters had been affected.

In terms of what data was accessed, another affected charity, ChildFund NZ said in a statement that it included titles and names, postal addresses and postcodes, and phone numbers.


Why your supporters are wealthier than you think... Course by Catherine Miles. Background photo of two sides of a terraced street of houses.

However, raising another issue, it was also revealed that Pareto Phone had been holding onto data for many years unbeknownst to the charities involved, with the Baker Heart and Diabetes Institute saying it hadn’t worked with Pareto Phone for more than eight years, and Stroke Foundation since 2017. ChildFund NZ said it had partnered with the company back in 2014, while MSF Australia also said it had not worked with Pareto Phone for almost five years and was “not aware that Pareto Phone had retained this historical data.”

Pareto Phone has been working with forensic specialists to identify the scale of the problem, and regulators have been informed.

A growing problem

Cyberattacks are an increasing problem for charities. A report last October revealed that one in eight in the UK had experienced cybercrime in the past 12 months. Back in 2022, the International Committee of the Red Cross (ICRC) suffered a sophisticated cyber security attack against computer servers that compromised personal data and confidential information from at least 60 Red Cross and Red Crescent National Societies around the world, on more than 515,000 highly vulnerable people.

More recently in the UK, research-based consultancy About Loyalty’s third-party research partner Kokoro was targeted. Kokoro’s forensic investigation determined that the group responsible may have been able to access some data relating to a subset of About Loyalty’s clients. In this case, the information on Kokoro’s systems was limited to some supporter details and historic donation information and did not include postal addresses, financial information or identity documentation. About Loyalty informed the charity clients who may have been affected, with a number of these, including Shelter and Friends of the Earth, moving to make aware and reassure supporters.

The annual Charity Fraud Awareness Week, which aims to help charities better protect themselves from fraud and cybercrime, runs from 27 November to 1 December this year.