OXFAM AUSTRALIA DATA INCIDENT

What has happened?

Oxfam Australia was alerted to a suspected data incident on Wednesday 27 January 2021. Oxfam immediately launched an investigation and engaged IT forensic experts to assist in identifying whether data may have been accessed and any impact on our supporters. Oxfam Australia has notified industry regulators, including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).

The independent investigation found that supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.

On 4 February 2021, Oxfam Australia alerted its supporters of the potential risk. On 1 March 2021, once the investigation enabled Oxfam Australia to identify the extent of the unlawful access, we began notifying our supporters about steps that they could take to protect their information.

The independent IT forensic investigation has been completed and Oxfam Australia has now also reported the matter directly to the Australian Federal Police.

Oxfam Australia suspended its fundraising activities while the independent IT forensic investigation was being undertaken and is now resuming these efforts given the investigation has concluded. This means that Oxfam Australia can get back to the lifesaving work that supporters care about, and we are starting to contact supporters about the ways they can get involved and support our work.

How many people have been affected? How do I know if I have been impacted?

In the interests of our supporters’ privacy and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted. The matter has now been reported directly to the Australian Federal Police.

Oxfam has contacted impacted supporters either directly or through website updates. If you are unsure about whether you are impacted or would like further information, please contact 1800 088 110 or enquire@oxfam.org.au

When was the data potentially accessed?

Oxfam Australia was alerted to the incident on Wednesday 27 January 2021, and on 23 February 2021, Oxfam’s IT forensic analysis was able to conclude that unauthorised access to the data took place on Wednesday 20 January 2021.

What information has been accessed?

While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters to inform them of the specific types of information relevant to them.

What should I do?

Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. Scammers can seem quite believable and impersonate government, police and businesses, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.

Have my credit card/bank details been accessed – should I cancel my card?

There was a small group of supporters who may have had their bank name, account number and BSB accessed, or part of their credit and debit card details accessed. We are contacting this group of supporters to provide advice on the particular steps that they can take to protect their information and avoid scams.

The processing of payments and storage of financial data for Oxfam Australia’s regular donors is undertaken via a payment system that is provided by our partner financial institutions and complies with Payment Card Industry (PCI) Data Security Standards. PCI Data Security Standards set the operational and technical requirements for organisations accepting or processing payment transactions. More information can be found here.

We encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails. You can find more advice on how to avoid scams generally at www.scamwatch.gov.au

Has my password been compromised? Should I change my passwords?

The IT forensic investigation found there is no evidence that passwords have been compromised. Based on that finding, Oxfam Australia will not be asking supporters to change their password. We encourage everyone to practice normal cyber security awareness, which may include, regular updating of passwords.

Should I take any steps to protect the information currently held in my Oxfam account?

While the investigation found that no passwords were compromised, we encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails.

I have been contacted by a data breach service telling me my personal information has been breached, why haven’t I heard from Oxfam Australia about this?

We have many supporters and are working as quickly as possible to contact them, but the process does take time. If you have not received an email from us, please check your email account’s spam folder as a precaution.

If you are unsure about whether you are impacted or would like further information, please contact 1800 088 110 or enquire@oxfam.org.au

Why is the alert I received from the data breach service different to the information I have received from Oxfam Australia?

Oxfam Australia engaged market leading IT forensics experts to conduct a thorough and complex investigation, which gave us precise information about the data incident.

Not all supporters have been impacted in the same way by the data incident, which is why Oxfam Australia has tailored its communications for supporters based on information and advice that is relevant to their situation.

Notifications or alerts from external data breach services may be general in nature and include advice or information that is not relevant to the specific impact on an individual.

I’ve had a scam call/s or unsolicited emails etc, is this linked to the Oxfam Australia incident?

Australians are subjected to scam calls on a frequent basis using an array of data available from our social media accounts and many other places. www.scamwatch.gov.au publishes information on its website about the most current scams impacting the community. If you believe that scam activity you have experienced relates to this event, please contact our supporter response team on 1800 088 110.

Why did Oxfam have my details in the first place?

Oxfam has records of people who may have signed a petition or taken part in a campaign, or who have made donations or purchased through our former shops. The types of personal information that Oxfam collects, and how we collect, handle and use that information, is documented within our Privacy Policy.

Will Oxfam remove my details from its database if I request this?

We can remove your contact details from our marketing database and ensure that you no longer receive marketing materials from us. We can also remove your personally identifiable information from other systems, where we are not required to retain that information in respect of our regulatory obligations or where the information is no longer required for the purpose for which it was collected.

How does Oxfam Australia know this will not happen again?

Oxfam Australia takes the privacy and security of our supporters’ data extremely seriously and we have taken important steps to help prevent any similar incidents happening again. While we had robust security systems in place at the time, the cybercrime environment is becoming increasingly sophisticated. In response to this, we are constantly reviewing and strengthening our security systems to protect your information.

Have authorities been notified?

The matter has been reported to relevant authorities, including the Australian Cyber Security Centre (ACSC), Office of the Australian Information Commissioner (OAIC) and Australian Federal Police.

How can I learn more?

As Oxfam Australia learns further information, we will provide updates as appropriate. Supporters wanting to seek or provide more information on this matter can contact us on 1800 088 110.

1 March 2021: Update

Following an independent IT forensic investigation, Oxfam Australia announced today that it has found supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.

The database includes information about supporters who may have signed a petition, taken part in a campaign or made donations or purchases through our former shops.

While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.

Oxfam Australia alerted its supporters of the potential risk on 4 February 2021 and has now begun notifying all supporters about steps that they can take to protect their information.

Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner and Australian Cyber Security Centre.

Chief Executive Lyn Morgain said that Oxfam Australia immediately launched the investigation and engaged industry-leading forensic IT experts to assist after being alerted on 27 January 2021 to a suspected data incident.

“Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements,” Ms Morgain said. “We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”

Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from actioning unsolicited requests to provide information, including actioning links and opening attachments. Scammers can seem quite believable and impersonate government, police and business, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.

Ms Morgain assured Oxfam Australia would continue to work with relevant authorities and treat the incident with the utmost seriousness on behalf of its supporters.

“The privacy and protection of our supporters has been our paramount consideration during this process, which has involved a thorough and complex investigation,” Ms Morgain said

“Oxfam supporters are at the heart of our organisation and their confidence is critical to our ongoing work in tackling the inequality that causes poverty around the world.

“We sincerely regret this incident has occurred.”

Supporters wanting to seek or provide more information on this matter can contact 1800 088 110.

4 February 2021: Oxfam Australia investigating suspected data incident

Late last week, Oxfam Australia was alerted to a suspected data incident. Oxfam immediately launched an investigation and engaged market leading experts to assist in identifying whether data may have been accessed and any impact on its supporters.

Chief Executive Lyn Morgain said Oxfam Australia had reported the matter to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) while continuing to investigate the suspected incident.

“Oxfam Australia is committed to working with all relevant authorities and experts to determine the facts and respond appropriately,” Ms Morgain said.

“Launching the investigation and ascertaining key facts have been our priorities, but this is a complex issue and inquiries are in their early stages.

“We have also taken immediate steps to further secure our environment and leading IT forensic experts have been engaged to conduct an investigation.

“Oxfam Australia’s priorities are confirming the type of data that may have been accessed and whether or not there are any impacted individuals.

“We assure our valued supporters that we are treating the matter with the utmost seriousness.”

“We are committed to communicating quickly to our supporters once the facts have been established, and we will provide updates as we learn more.”

“Oxfam supporters are at the heart of our organisation and their confidence is critical to our ongoing work in tackling the inequality that causes poverty around the world.”

Supporters wanting to seek or provide more information on this matter can contact 1800 088 110.