Cyber Incident Victim: Pareto Phone
Date:
Mar 2023
Location:
Australia
Summary
A cyberattack on charity telemarketing firm Pareto Phone compromised personal details of donors from multiple Australian charities, including full names, dates of birth, addresses, and contact information spanning up to a decade. The LockBit ransomware group claimed responsibility, exfiltrating data later published on the dark web, though no financial details were accessed. Impacted charities such as Fred Hollows Foundation, Canteen, Cancer Council, and Médecins Sans Frontières reported varying donor exposures, with some unaware their historical data remained stored, prompting criticism over inadequate data retention practices. The incident triggered advocacy for enhanced cybersecurity support for non-profits amid broader concerns about proliferating ransomware threats targeting sensitive citizen information held by third-party vendors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A cyberattack compromised the personal data of thousands of Australian donors through charity telemarketing firm ParetoPhone in April 2023, though public disclosures occurred months later after stolen information appeared on dark web forums. The LockBit ransomware group, operating under a ransomware-as-a-service model, claimed responsibility for infiltrating ParetoPhone’s systems and exfiltrating sensitive donor records spanning up to a decade. Compromised data included full names, dates of birth, addresses, email addresses, and phone numbers, though financial details such as credit card numbers or bank account information were not confirmed as part of the theft. Over 70 Australian and New Zealand charity clients were potentially affected, with multiple organizations publicly confirming data breaches, including the Fred Hollows Foundation, Canteen, the Cancer Council, and Médecins Sans Frontières. ParetoPhone delayed notifying its charity partners about the breach until donor records surfaced for sale online, triggering independent investigations by impacted nonprofits to determine the scope of their exposure. The Fred Hollows Foundation confirmed 1,700 donors from 2013 and 2014 had their personal identifiable information downloaded, while Canteen reported approximately 2,600 donors from the 2020–21 period were impacted.
Affected charities responded by suspending business with ParetoPhone, conducting audits of their data-sharing practices, and initiating notifications to donors. The Fred Hollows Foundation emphasized it had no knowledge ParetoPhone retained client data beyond the active service period, citing violations of Australian Privacy Principles requiring data destruction when no longer necessary. The Cancer Council stated only a small subset of donors appeared affected but awaited final confirmation from ParetoPhone to complete its assessment. Cybersecurity firm Darktrace noted the incident reflected a broader trend of cybercriminals increasingly monetizing Australian citizen data, though specifics regarding ParetoPhone’s system vulnerabilities, attack vectors, and containment measures were not publicly disclosed. In response to the breach, the Community Council for Australia petitioned the federal government on August 22, 2023, highlighting exclusion of charities from national cybersecurity strategies despite mounting threats targeting the sector. Legitimate but outdated records—some dating to 2013—underscored systemic retention risks among third-party vendors handling sensitive donor information across extended periods without operational necessity.