Cyber Incident Victim: Amnesty International Australia

The cyber incident involving Amnesty International Australia (AIA) stemmed from a breach at third-party supplier Pareto Phone, first detected in April 2022. Pareto Phone, which conducted supporter outreach campaigns for AIA, experienced unauthorized access to its systems, resulting in some data being disclosed online. Initial assurances from Pareto Phone in April indicated no evidence of donor data exfiltration, with accessed files reportedly limited to campaign background documents devoid of personal information. Based on these assurances, AIA temporarily suspended activities with Pareto but resumed operations in May 2022 after Pareto engaged cybersecurity experts to investigate.

In August 2023, Pareto Phone informed AIA that supporter data might have been compromised, prompting AIA to suspend activities again and initiate its own forensic analysis. The investigation revealed unauthorized access to basic supporter information—including names, physical addresses, email addresses, mobile numbers, and dates of birth—but no financial data. Cybersecurity experts assessed the exposed data as presenting a low risk of misuse. Pareto Phone implemented large-scale technological and procedural improvements, enhanced staff training, and notified Australian authorities including the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. AIA maintained suspension of Pareto operations until September 2023, resuming only after verifying Pareto’s remediation efforts. AIA committed to ongoing monitoring of all third-party suppliers to ensure data protection standards. Affected supporters received notifications starting in August 2023, with AIA providing guidance on recognizing scams and securing online accounts while apologizing for the breach. Pareto Phone ceased trading at an unspecified later date, though AIA continued operational reviews to safeguard supporter resources.