Charity data breach telemarketer hangs up the phone

Pareto Phone was put into voluntary external administration late last week, with liquidators appointed to wind up the company.

Documents lodged with the Australian Securities and Investments Commission (ASIC) reveal that Michael Brereton and Sean Wengel of William Buck were appointed on October 27 as liquidators, to formally wind up Pareto Phone, and associated companies.

The financial shut down follows a massive data breach affecting more than 70 charities and 50,000 donors, which prompted nearly every client to abandon the provider.

As many as 150 staff were employed before the collapse, but the Pareto Phone website, LinkedIn profile and Google address listings have now been disabled.

A staff member told the ABC she was given a day’s warning of the closure, while senior staff, including the former CEO, have listed themselves as “looking for work” on LinkedIn profiles. A commercial real estate listing has promoted the Brisbane ex-headquarters’ 64 workstations and eight offices.

Before the breach, business was booming for the telemarketer, which made more than a million calls to potential donors annually.

Former CEO Duncan Graham stated on his LinkedIn profile that company revenue was $100 million a year during his two years at the helm, in which time he had cut overheads by 16%.

The demise of the business coincided with confirmation by the privacy watchdog that it would launch a formal investigation into the theft of an estimated 320,000 files of data from the Brisbane-based business.

Pareto Phone’s system was first breached in April, but the incident was made public only in late August, about the same time that LockBit ransomware operatives published 150GB of data onto the dark web.

Charities were left scrambling to ensure donors did not abandon them, reassuring supporters where possible that highly sensitive data such as credit card details had not been released.

Since then, many charities have complained to regulators and the fundraising peak body that Pareto Phone kept donor data for years longer than it should have.

Some are considering taking legal action or seeking compensation for losses, although the business’s collapse is set to complicate matters.

Among the worst-hit organisations were WWF Australia (20,500 donors), the Australian Conservation Foundation (13,500 donors) and Plan International Australia (8,000 donors).

Following the breach, most affected charities cut ties with the telemarketer, vowing never to use their services again.

Among them, Greenpeace this week said that it was working "to migrate to a new fundraising partner" after last month raising serious concerns about Pareto's alleged failure to destroy data.

"Protecting the privacy of our supporters is something we take extremely seriously," a spokesperson for the organisation's Australia Pacific operations said.

"Working with fundraising partners ensures that more money goes to our campaigns, so our priority is ensuring this happens in a secure and timely manner. We look forward to this process being completed so we can continue to work to protect our right to a safe climate."

"We are deeply disappointed by this whole ordeal, and our thoughts are with those who have lost their jobs as a result."

Community Council of Australia (CCA) chief exective David Crosbie said this week, “It is not surprising that Pareto is no longer a viable business”.

“The reality is that fundraising companies rely on integrity and reputation to be successfully involved in public fundraising. In many ways, trust itself is the most important commodity we rely on to generate donations, client support and engagement.

“Pareto clearly lost the trust of the public and the charities it relied on for its income.”

He said he hoped “all legal, industrial and other obligations” would be met by Pareto management.

Mr Crosbie said the CCA and its allies expected to prepare a pre-federal Budget submission that addressed the cybersecurity threat to not-for-profits and charities. This followed high-level meetings with senior Home Affairs officials earlier this month, and a letter to the Prime Minister shortly after the breach, demanding greater support for the sector.

The Office of the Australian Information Commissioner (OAIC) also confirmed this week that it had launched a formal investigation.

“The OAIC commenced a Commissioner-initiated investigation into Pareto Phone earlier this month and notified the company’s owner, Merchant Place Investments.”

The OAIC last week released its annual report highlighting “unprecedented times” in which millions of Australians had been hit by the largest data breaches since it began measuring them. Privacy complaints were up by a third on the previous year to 3402.

“As well as being a wake-up call for Australian organisations, the prominent data breaches emphasised how collaboration by regulators and government can assist in identifying and reducing harms,” OAIC commissioner Angelene Falk said.

Following changes to laws late last year, maximum penalties for serious privacy breaches have risen to $50 million or 30% of a company’s turnover during the relevant period.

Further strengthening of the Privacy Act is expected to be rolled out by the federal government next year.

Company searches reveal that Pareto Phone’s owner before the winding-up order – Merchant Place Investments – is run by businessmen Nick Batchelor, Nick Mole and Tom Mould.

All describe themselves as managing directors of the company, which purchased Pareto Phone for $16.5 million in 2020.

At the time, Mr Mould said the Pareto Phone purchase was made by "long-term equity investors sharing a keen personal interest in the charitable sector".

Merchant Place Investments describes itself as a private investment company with some of Australia’s “most successful families and charitable foundations” as clients. Its investment strategy is to “invest in businesses that consistently generate cash flow for their owners … [focusing on] ‘enduringly profitable’​ businesses”.

A former senior executive in the Queensland education department, Mr Mould is listed in an online profile as the “current” chair of Pareto Phone, and has a long association with charities, having been appointed as an officer in the Order of Australia (AO) in 2019 for services to youth through charitable award programs.

On his LinkedIn profile, Mr Batchelor described himself as a co-founder of Merchant Place, as a former partner at Quadrant Private Equity, and as having held a string of senior directorships over the past decade.

Mr Mole lists himself as a co-founder of Merchant Place and is also a director of other companies the firm invests in.

The public relations firm that once represented Pareto Phone directed media inquiries to Merchant Place, which in turn did not respond to requests for comment.

This week, the Albanese Government announced a $5 billion investment by software giant Microsoft to boost the nation’s cybersecurity, cloud computing and artificial intelligence capabilities.

The tech giant will partner with Australia’s cyber spy agency, provide digital skills training for 300,000 people and increase the number of data centres here.

The new partnership follows a renewed focus by the government on cyber threats in response to massive hacks of Medibank, Optus and other businesses.