Non profit organisation discloses database was “unlawfully” accessed.
Australian independent not-for-profit Oxfam Australia has found supporters’ information on one of its databases was “unlawfully accessed” by an external party on 20 January 2021, following an independent IT forensic investigation.
The database includes information about supporters who may have signed a petition, taken part in a campaign, or made donations or purchases through our former shops.
While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history.
For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.
Oxfam Australia alerted its supporters of the potential risk on 4th of February 2021 and has now begun notifying all supporters about steps that they can take to protect their information.
Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner and Australian Cyber Security Centre.
Chief executive Lyn Morgain said it immediately launched the investigation and engaged industry-leading forensic IT experts to assist after being alerted on 27 January 2021 to a suspected data incident.
“Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements,” Morgain said. “We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”
Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from actioning unsolicited requests to provide information, including actioning links and opening attachments. Scammers can seem quite believable and impersonate government, police and business, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
Morgain assured Oxfam Australia would continue to work with relevant authorities and treat the incident with the utmost seriousness on behalf of its supporters.
“The privacy and protection of our supporters has been our paramount consideration during this process, which has involved a thorough and complex investigation,” she said.