What has happened?
Oxfam Australia was alerted to a suspected data incident on Wednesday 27 January 2021. Oxfam immediately launched an investigation and engaged IT forensic experts to assist in identifying whether data may have been accessed and any impact on our supporters. Oxfam Australia has notified industry regulators, including the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC).
The independent investigation found that supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.
On 4 February 2021, Oxfam Australia alerted its supporters of the potential risk. On 1 March 2021, once the investigation enabled Oxfam Australia to identify the extent of the unlawful access, we began notifying our supporters about steps that they could take to protect their information.
The independent IT forensic investigation has been completed and Oxfam Australia has now also reported the matter directly to the Australian Federal Police.
Oxfam Australia suspended its fundraising activities while the independent IT forensic investigation was being undertaken and is now resuming these efforts given the investigation has concluded. This means that Oxfam Australia can get back to the lifesaving work that supporters care about, and we are starting to contact supporters about the ways they can get involved and support our work.
How many people have been affected? How do I know if I have been impacted?
In the interests of our supporters’ privacy and to reduce the risk of attempts by scammers to target Oxfam supporters, we are not releasing details of the number of people who may have been impacted. The matter has now been reported directly to the Australian Federal Police.
Oxfam has contacted impacted supporters either directly or through website updates. If you are unsure about whether you are impacted or would like further information, please contact 1800 088 110 or firstname.lastname@example.org
When was the data potentially accessed?
Oxfam Australia was alerted to the incident on Wednesday 27 January 2021, and on 23 February 2021, Oxfam’s IT forensic analysis was able to conclude that unauthorised access to the data took place on Wednesday 20 January 2021.
What information has been accessed?
While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters to inform them of the specific types of information relevant to them.
What should I do?
Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. Scammers can seem quite believable and impersonate government, police and businesses, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
Have my credit card/bank details been accessed – should I cancel my card?
There was a small group of supporters who may have had their bank name, account number and BSB accessed, or part of their credit and debit card details accessed. We are contacting this group of supporters to provide advice on the particular steps that they can take to protect their information and avoid scams.
The processing of payments and storage of financial data for Oxfam Australia’s regular donors is undertaken via a payment system that is provided by our partner financial institutions and complies with Payment Card Industry (PCI) Data Security Standards. PCI Data Security Standards set the operational and technical requirements for organisations accepting or processing payment transactions. More information can be found here
We encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails. You can find more advice on how to avoid scams generally at www.scamwatch.gov.au
Has my password been compromised? Should I change my passwords?
The IT forensic investigation found there is no evidence that passwords have been compromised. Based on that finding, Oxfam Australia will not be asking supporters to change their password. We encourage everyone to practice normal cyber security awareness, which may include, regular updating of passwords.
Should I take any steps to protect the information currently held in my Oxfam account?
While the investigation found that no passwords were compromised, we encourage everyone to practice normal cyber security awareness and be careful when responding to unsolicited communications, including phone calls, SMS messages and emails.
I have been contacted by a data breach service telling me my personal information has been breached, why haven’t I heard from Oxfam Australia about this?
We have many supporters and are working as quickly as possible to contact them, but the process does take time. If you have not received an email from us, please check your email account’s spam folder as a precaution.
If you are unsure about whether you are impacted or would like further information, please contact 1800 088 110 or email@example.com
Why is the alert I received from the data breach service different to the information I have received from Oxfam Australia?
Oxfam Australia engaged market leading IT forensics experts to conduct a thorough and complex investigation, which gave us precise information about the data incident.
Not all supporters have been impacted in the same way by the data incident, which is why Oxfam Australia has tailored its communications for supporters based on information and advice that is relevant to their situation.
Notifications or alerts from external data breach services may be general in nature and include advice or information that is not relevant to the specific impact on an individual.
I’ve had a scam call/s or unsolicited emails etc, is this linked to the Oxfam Australia incident?
Australians are subjected to scam calls on a frequent basis using an array of data available from our social media accounts and many other places. www.scamwatch.gov.au
publishes information on its website about the most current scams impacting the community. If you believe that scam activity you have experienced relates to this event, please contact our supporter response team on 1800 088 110.
Why did Oxfam have my details in the first place?
Will Oxfam remove my details from its database if I request this?
We can remove your contact details from our marketing database and ensure that you no longer receive marketing materials from us. We can also remove your personally identifiable information from other systems, where we are not required to retain that information in respect of our regulatory obligations or where the information is no longer required for the purpose for which it was collected.
How does Oxfam Australia know this will not happen again?
Oxfam Australia takes the privacy and security of our supporters’ data extremely seriously and we have taken important steps to help prevent any similar incidents happening again. While we had robust security systems in place at the time, the cybercrime environment is becoming increasingly sophisticated. In response to this, we are constantly reviewing and strengthening our security systems to protect your information.
Have authorities been notified?
The matter has been reported to relevant authorities, including the Australian Cyber Security Centre (ACSC), Office of the Australian Information Commissioner (OAIC) and Australian Federal Police.