Cyber Incident Victim: Oxfam Australia

On January 20, 2021, Oxfam Australia suffered a cyberattack resulting in unauthorized access to a donor database containing supporter information. The breach was confirmed following an independent IT forensic investigation initiated after BleepingComputer alerted the charity about the sale of its stolen data on a hacker forum in January 2021. The compromised database held approximately 1.7 million records of individuals who had signed petitions, participated in campaigns, donated funds, or made purchases through Oxfam’s former retail shops. Exposed data included names, email addresses, physical addresses, phone numbers, dates of birth, gender, and donation histories. For a limited subset of supporters, the database also contained bank names, account numbers, and partial credit card numbers. No passwords were compromised in the incident. Samples of the stolen data shared by the threat actor on the forum were verified by BleepingComputer as authentic, with at least one record confirmed to be accurate. Oxfam Australia did not disclose how the attackers gained access to the database or whether any party purchased the data after its advertisement online.

The breach exposed sensitive donor information across multiple regions, given Oxfam Australia’s operations in Africa, Asia, and the Middle East. Oxfam notified supporters whose additional financial details were accessed and advised all affected individuals to remain vigilant against targeted phishing attempts via email, SMS, or phone calls impersonating the charity. The organization emphasized that no passwords required resetting but acknowledged the risk of attackers leveraging stolen data for further exploitation. The forensic investigation confirmed the intrusion date but did not reveal detection methods, containment procedures, or whether data exfiltration was prevented. Oxfam Australia, part of a global confederation of 20 charities, did not specify if other Oxfam affiliates’ systems were involved or impacted. The incident highlighted risks to nonprofit entities managing large volumes of donor data, though the full scope of operational disruptions or financial consequences to Oxfam Australia remained undisclosed in available reports.