Charity said donors’ personal information was exposed
Oxfam Australia has confirmed that it has suffered a data breach after a database containing supporters’ information was “unlawfully accessed”.
In a statement, the charity said that an external party gained access to the database on January 20, 2021.
Oxfam Australia said it became aware of the breach seven days later and engaged “industry-leading forensic IT experts” to conduct an investigation.
The database included information about supporters who may have signed a petition, taken part in a campaign, or made donations or purchases through shops, Oxfam Australia said.
This data includes names, addresses, dates of birth, emails, phone numbers, gender, and in some cases donation history.
Oxfam Australia said it began informing the victims on February 4 and is offering guidance “about steps that they can take to protect their information”.
“For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them,” the statement reads.
Oxfam Australia said it has notified and is working with the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.
Under Australia’s Notifiable Data Breach (NDB) law, organizations that have an annual turnover of A$3 million ($2.1 million) or more are required to report a data breache within one month of the incident being detected.
Such incidents are only notifiable if they are likely to cause “serious harm”, according to the bill.
Chief Executive Lyn Morgain said: “Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements.
“We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”
The charity has warned all supporters to be wary of any scam calls, emails, or text messages that may be a result of the breach.