A data breach at a Brisbane-based telemarketer has impacted some of Australia’s most well-known charities, exposing personal information from thousands of donors to the dark web.

The attack happened at Pareto Phone, a third-party tele-fundraising supplier which collects donations and services for more than 70 Australian charities.

While not all charities which use Pareto have been affected, reputable organisations such as The Cancer Council, The Fred Hollows Foundation and Canteen have all confirmed their donors were caught up in the attack.

In a statement provided to Information Age, Australia-based blindness charity The Fred Hollows Foundation said at least 1,700 of its donors’ data had been impacted.

“We believe the impact on our donor data is limited to about 1,700 donors,” the The Fred Hollows Foundation revealed in a statement.

“According to the information Pareto Phone has given us, the compromised data does not involve financial, credit card or bank account information.”

The foundation confirmed there was “no impact” to its own systems, and said it was “deeply disappointed” over its donors being affected by the breach at Pareto.

Meanwhile, other charities such as cancer charity The Cancer Council and humanitarian aid organisation Médecins Sans Frontières (MSF) are still working to determine the full impact of the incident.

“We are currently working to understand the impact of this breach,” MSF told Information Age. “We are so disappointed that MSF supporters have been caught up in this Pareto breach. We are contacting any affected MSF supporters as soon as it is clear who has been affected and what information has leaked.”

Pareto held donor data for years

Both MSF and The Fred Hollows Foundation suggest the third-party fundraiser held on to donor data for longer than was necessary – effectively exposing donors to unnecessary risk.

“MSF has not worked with Pareto Phone for almost five years,” the organisation said in a statement on Wednesday.

"Under the Australian Privacy Principles, organisations must take reasonable steps to destroy personal information data that is no longer required.”

Monash University cyber security professor Nigel Phair said data deletion was an important step for companies to avoid data breaches.

“The best way for organisations not to have a data breach is for them to delete customer identifying information post-transaction,” said Phair.

When asked why Pareto reportedly held its data longer than was actually necessary, MSF told Information Age it had not been given an explanation.

MSF said it had not engaged Pareto since 2018, while The Fred Hollows Foundation last worked with the company a decade ago.

“We worked with Pareto Phone only during 2013 and 2014,” said The Fred Hollows Foundation.

“We were not aware our data was still held by them.”

Pareto declined to answer Information Age’s request for comment.

Attack first detected in April

Although the cyber incident was first detected by Pareto in April, a statement from Australia’s leading youth cancer charity Canteen suggests charities were not informed of the ensuing data theft until 8 August.

“At the time, Canteen was assured that no data relating to its supporters had been accessed or downloaded,” said Canteen.

“On 8 August we were then informed that Canteen and numerous other charities across Australia were possibly affected by the data theft.

“They have now informed us that there were some Canteen supporters who had information about them stolen from Pareto Phone.”

Since finding out about the breach, Canteen has “paused all activity” with Pareto in consideration of “potential risks” to its data.

Although Canteen ensured its own systems have not been impacted and that it continues to use the “best available software” to protect its IT infrastructure, the breach at Pareto highlights a recurring trend of third-party incidents leading to major data theft in Australia.

Last month, participants of the National Disability Insurance Scheme were caught in a third-party incident at law firm HWL Ebsworth, and both Tasmanian and ACT government have suffered recent security incidents due to attacks at external providers.

“Organisations, including charities and other not-for-profit organisations who may not think they will get caught up in a data breach incident, need to do due diligence when using third-party providers, said Phair.

“Beyond what organisations can do to safeguard themselves, we need an effective ‘stick’ to be used as a deterrent so companies are not lax with their cyber security.

“The Privacy Commissioner now has increased penalties at their disposal, so it would be good to see such penalties imposed where justified,” he added.

According to the ABC, Pareto Phone CEO Chris Smedley said the company was working with forensic specialists to analyse affected files, and has not identified any identity documents such as tax file numbers, passports or drivers licences at this stage.