What has happened?
Oxfam Australia was alerted to a suspected data incident on Wednesday 27 January 2021. Oxfam immediately launched an investigation and engaged IT forensic experts to assist in identifying whether data may have been accessed and any impact on our supporters. Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
The independent investigation has found that supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.
Oxfam Australia alerted its supporters of the potential risk on 4 February 2021. Now that the investigation has enabled Oxfam Australia to identify the extent of the unlawful access, we have begun notifying all supporters about steps that they can take to protect their information.
How many people have been affected? How do I know if I have been impacted?
Oxfam Australia has begun contacting supporters with information and advice that is relevant to their situation and the information that has been accessed.
Throughout our investigation, the privacy and protection of our supporters has been our top priority. In the interests of ensuring the ongoing security of our database and our supporters’ privacy and protection and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted.
When was the data potentially accessed?
Oxfam Australia was alerted to the incident on Wednesday 27 January 2021, and on 23 February 2021, Oxfam’s IT forensic analysis was able to conclude that unauthorised access to the data took place on Wednesday 20 January 2021.
What information has been accessed?
While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.
What should I do?
Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from responding to unsolicited requests to provide information, including clicking on links and opening attachments. Scammers can seem quite believable and impersonate government, police and businesses, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
Have my credit card/bank details been accessed – should I cancel my card?
There was a small group of supporters who may have had their bank name, account number and BSB accessed, or part of their credit and debit card details accessed. We are contacting this group of supporters to provide advice on the particular steps that they can take to protect their information and avoid scams.
We encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails, particularly when they request personal and account information or that you click on a link or any attachments. You can find more advice on how to avoid scams generally at www.scamwatch.gov.au
. Oxfam Australia will not contact you while we are investigating this data incident to ask for personal information, so please report any suspicious behaviour to us directly by contacting our team on 1800 088 110.
Has my password been compromised? Should I change my passwords?
The IT forensic investigation found there is no evidence that passwords have been compromised. Based on that finding, Oxfam Australia will not be asking supporters to change their password. We encourage everyone to practice normal cyber security awareness, which may include, regular updating of passwords.
Should I take any steps to protect the information currently held in my Oxfam account?
While the investigation found that no passwords were compromised, we encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails, particularly when they request personal and account information or that you click on a link or any attachments.
I’ve had a scam call/s or unsolicited emails etc, is this linked to the Oxfam Australia incident?
Australians are subjected to scam calls on a frequent basis using an array of data available from our social media accounts and many other places. www.scamwatch.gov.au
publishes information on its website about the most current scams impacting the community. If you believe that scam activity you have experienced relates to this event, please contact our supporter response team on 1800 088 110.
Why did Oxfam have my details in the first place?
Will Oxfam remove my details from its database if I request this?
We can remove your contact details from our marketing database and ensure that you no longer receive marketing materials from us. We can also remove your personally identifiable information from other systems, where we are not required to retain that information in respect of our regulatory obligations or where the information is no longer required for the purpose for which it was collected.
How does Oxfam Australia know this will not happen again?
Oxfam Australia takes the privacy and security of our supporters’ data extremely seriously and we have taken important steps to help prevent any similar incidents happening again. While we had robust security systems in place at the time, the cybercrime environment is becoming increasingly sophisticated. In response to this, we are constantly reviewing and strengthening our security systems to protect your information.
Have authorities been notified?
The matter has been reported to relevant authorities, including the Australian Cyber Security Centre (ASCS) and Office of the Australian Information Commissioner (OAIC).