Oxfam Australia, a non-profit charity working towards the eradication of poverty around the globe through humanitarian services, recently reported it was investigating a “data incident” which potentially affected 1.7 million registered supporters. The incident first came to light on January 27, 2021, following which a prompt investigation was launched with the help of forensic IT experts.
Evidence of Data Breach Confirmed
Post the breach, Oxfam Australia notified industry regulators, including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC). The thorough forensic investigation that began in January, ended on February 23, 2021, which confirmed that “unlawful” access to its supporters’ data did take place on January 20, 2021. As per the forensic analysis, the following PII data were accessed during the data breach:
- Names and addresses
- Dates of birth (D.O.B) and gender
- Emails and phone numbers
- Donation history (in some cases)
- And for a limited group of supporters, the database contained additional information, for which Oxfam Australia is directly contacting these supporters to inform them of the specific types of information possibly compromised
According to Oxfam’s official update, no account passwords of its supporters were compromised but the bank name, account number, and BSB of a small group of individuals could have been accessed. Thus, to avoid scams like identity theft, phishing, and smishing, Oxfam has recommended its supporters to reset the passwords and look out for any malicious activities related to the data which was compromised. To get further advice on avoiding such scams, Oxfam Australia has asked supporters to refer to the suggestions posted on www.scamwatch.gov.au.
Oxfam Australia has maintained high transparency and abided by the widely accepted NIST framework in the current scenario. From the beginning, it has informed its users about the potential data breach, conducted a thorough forensic investigation, and then released its findings confirming the data breach occurrence. However, it has not mentioned the exact number of people affected.
Justifying this stance, Oxfam said,
Throughout our investigation, the privacy and protection of our supporters has been our top priority. In the interests of ensuring the ongoing security of our database and our supporters’ privacy and protection and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted.