Watchdog scraps probe into mass charity data breach

The Office of the Australian Information Commissioner (OAIC) – in response to questions from the Community Advocate about the status of the investigation – has revealed that it has quietly ended its investigation, which began in October last year.

The OAIC cited the company’s collapse, limitations on likely “remedies” for victims and resource constraints as reasons for closing the case.

“The reason for not further pursuing the investigation is that, having looked into the matter, and noting that the company is in liquidation, the possible remedies that we could obtain for the community would not be proportionate to the resources required,” an OAIC spokesperson said.

Charity hack triggered alarm bells across the sector

The Brisbane-based Pareto Phone company’s system was first breached in April, but the incident was made public only in late August, about the same time that LockBit ransomware operatives published 150GB of data onto the dark web, to the shock and dismay of many Pareto Phone clients.

The hack saw more than 320,000 files taken from the company, including personal information, credit card details, donor histories, internal documents, financial information and staff details. A KPMG audit of the true extent of the hack was never made public.

Among the worst hit charities were WWF Australia (20,500 donors), the Australian Conservation Foundation (13,500 donors), and Plan International Australia (8,000 donors).

By October, the company was placed into external administration, owing more than $17 million to creditors, less than two months after its major charity clients abandoned ship.

At that time, the OAIC confirmed it had launched an investigation and said it was pursuing the owners of the company, Merchant Place Investments, which describes itself as “a private investment company” with “some of Australia’s most successful families and charitable foundations” as clients.

At the time, Merchant Place was controlled by two directors, Nicholas Mole and Nick Batchelor. As of yesterday, Australian Securities and Investments Commission (ASIC) records show that Pareto Phone Pty Ltd remains under external administration, with Thomas Mould as its sole director and secretary.

Many of the affected charities complained to both the OAIC and the fundraising peak body, Fundraising Institute Australia (FIA), that Pareto Phone had breached privacy rules by holding onto donor data for years longer than it should have.

Some organisations contemplated legal action or seeking compensation from Pareto Phone, but may now face an uphill battle in the absence of any formal regulatory ruling and the company’s shutdown.

More resources being developed for the sector

The OAIC said this week that it was in the process of updating guidance for the charity and not-for-profit sector in the wake of the incident, with a focus on the use of third-party providers.

“In response to issues raised in the investigation, the OAIC is updating its guidance for the charity and not-for-profit sector to highlight the sector’s obligations under the Privacy Act when engaging third-party providers to assist in fundraising activities, particularly when the third parties are provided with the personal information of donors.

“The updated guidance will include practical advice about ensuring good privacy practices when engaging external vendors, such as being informed about how information will be collected, handled and stored; conducting periodic reviews of arrangements; and ensuring the third party deletes any personal information at the end of the contract term.”

The OAIC stressed that all organisations should ensure “vendors have appropriate processes in place to protect personal information and comply with any obligations they have under the Privacy Act”.

Similar warnings have come from FIA, ASIC, the Australian Charities and Not-for-profits Commission (ACNC) and New Zealand’s Office of the Privacy Commissioner.

Peak bodies including the Community Council for Australia (CCA) and the Australian Council for International Development (ACFID) sought additional federal support in the wake of the hack, and CCA wrote to the Prime Minister warning, “charities and not-for-profits have not been provided with the support they need to deal with an increasingly sophisticated level of cyber-attacks”.

The OAIC last year said 25 notifiable data breaches had affected the charity sector in 2022–2023.

Authorities overseas had some success in March in taking down some of the Lockbit hackers behind the Pareto Phone incident.

They took control of the LockBit sites, arrested several suspects, froze LockBit Bitcoin accounts, shut down servers and websites, and took charge of ransomware infrastructure.

LockBit was understood to have re-emerged soon after with new encrpytors and servers.

More information

Cybersecurity remains a hot-button issue for NFPs (includes resource links)