More details sought in failed charity hack investigation

Posted on 04 Sep 2024

By Matthew Schulz, journalist, Institute of Community Directors Australia

Digital Security Cyber shutterstock 2376028571

The collapse of an investigation into the charity telemarketer in which 50,000-plus donors’ details were dumped on the dark web by cybercriminals faces further scrutiny following an order for authorities involved in the case to hand over crucial documents.

Pareto Phone was breached early last year in an attack by the LockBit cybercriminal group, which made good on its threat to put 1.5GB of data up for sale if the Brisbane-based firm did not pay a ransom.

More than 70 of Australia’s most prominent charities were affected, many of which complained that Pareto Phone appeared to have held onto their data far longer than privacy guidelines stipulate.

Last month, following inquiries by the Community Advocate, Australia’s privacy watchdog confirmed it had quietly ended the investigation.

The following week, Privacy Commissioner Carly Kind – again responding to questions from the Community Advocate – told a regulators’ forum that her Office of the Australian Information Commmissioner (OAIC) dropped the case “because of the unlikelihood that we would exact [an] outcome for the Australian community, given that the organisation has gone into administration”.

Up to 70 Australian and NZ charities were affected by the hack by the LockBit ransomware group.

Sector advocates said the decision to drop the case was a lost opportunity to avoid a repeat incident.

The Community Advocate learned last month that Pareto Phone had been signed up to the voluntary Fundraising Institute Australia (FIA) code at the time of the breach, which is aimed at protecting donor details. The FIA halted an investigation after Pareto Phone cancelled its membership.

Now the shadow Charities Minister, Senator Dean Smith, has ordered a range of authorities to release information about their dealings ahead of that decision.

Senator Smith used parliament to demand that Attorney General Mark Dreyfus publicly release a tranche of documents including “all written or digital correspondence, briefing notes, file notes, meeting notes, meeting agendas or minutes, or other records of interaction”.

The senator’s order covered communication since January 2024 between the OAIC, the attorney-general, Charities Minister Andrew Leigh and the Australian Charities and Not-for-profits Commission “in relation to the undertaking and subsequent ending of an investigation into the charity telemarketer Pareto Phone’s data breach”.

The authorities in question have until September 20 to respond.