Cyber incident update – October 2023
Since Pareto discovered the data breach this year, the company undertook significant and robust remediation efforts, having implemented large scale improvements to technology, systems, processes and training. Amnesty worked closely with Pareto to understand the changes that had been put in place, waiting until we reached a high degree of assurance and confidence in Pareto as trusted partners in undertaking crucial calling campaigns on Amnesty’s behalf. Considering these improvements as well as Pareto’s role in supporting our calling program, Amnesty decided it was appropriate for Pareto to resume calls on our behalf until we were advised that Pareto have ceased trading. Amnesty will of course continue to monitor and review the performance and compliance all of our third party suppliers across our operations to ensure that the resources and data trusted to us by our valued supporters are handled with the highest degree of care and security.
Cyber incident update – September 2023
Since Amnesty International Australia’s (AIA) last update in August, we have worked closely with Pareto Phone to determine potential impacts of the unauthorised data access, as well as working to strengthen security across all systems. Since the discovery of the data breach earlier this year, Pareto has undertaken significant and robust remediation efforts, having implemented large-scale improvements to technology, systems, processes and training. Amnesty suspended work with Pareto while investigative activities were underway, waiting until we reached a high degree of assurance and confidence in Pareto’s efforts to protect data before considering a resumption in activity. Having reviewed the actions taken thus far, Amnesty has decided it is appropriate for Pareto to resume calls on our behalf. Amnesty will continue to monitor and review the performance and compliance of Pareto and all of our third-party suppliers across our operations to ensure that the resources and data trusted to us by our valued supporters are handled with the highest degree of care and security.
Cyber incident update – August 2023
Amnesty International Australia (AIA) has recently been made aware of a cyber incident affecting a third-party supplier that may have impacted the personal information of some AIA supporters. We value the trust all supporters put in us as a human rights organisation and we’re committed to being transparent as we investigate this incident.
We believe the following personal information may have been impacted: name, physical address, email, mobile and date of birth. Cyber experts have determined this data to be of low risk of misuse. Importantly, there’s no indication that supporter financial information has been compromised.
Understanding what’s happened
Amnesty International Australia partners with Pareto Phone, a supplier we use for calling supporters to help raise awareness of human rights issues and raise vital funding to protect and defend human rights.
In April this year, Pareto Phone experienced a cyber incident involving unauthorised access to its systems, which has resulted in some of its data being disclosed online. At that time, Pareto Phone assured Amnesty and its other charity partners that there was no evidence to suggest that donor data had been downloaded or taken. We were advised that the files accessed related to campaign background and briefing documents which do not contain personal information.
Pareto Phone has been working with forensic and cyber security experts to investigate and ascertain which data files have been impacted. On August 8, Pareto Phone made Amnesty aware that some of our supporters’ information may be impacted by this incident. As soon as Amnesty became aware, we began our own forensic analysis. Our investigation indicates that some of our supporter data was involved, but is limited to basic details and contact information, which is understood to present a low risk of misuse.
Action taken
Amnesty initially suspended activities with Pareto Phone in April, while Pareto conducted its investigation with cyber security experts. After receiving assurances from Pareto Phone that donor data had not been taken, Amnesty made the decision to resume activities in May. Amnesty has now suspended activities again to allow us to conduct our own investigation.
Pareto Phone is working with cyber security experts to ensure the ongoing safety and security of its systems. Pareto Phone has also notified the relevant authorities including the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.
Next steps
We take the privacy of our supporters seriously and are disappointed that this cyber event occurred. We’re working on this as a matter of urgency including contacting supporters who have been affected.
We understand this news will be concerning and we apologise for any distress this may cause our supporters. We’re here to provide support. We invite anyone who would like further information or to discuss this matter to contact our Supporter Care team at supporter@amnesty.org.au or 1300 300 920.
Additional steps you can take to protect your information
Given the very recent spate of cyber-attacks occurring in Australia, AIA also wishes to provide some additional steps our supporters can take to further protect their information as a precautionary measure.
Where a third-party may have potentially accessed your contact information, it is important to:
- be aware of email, telephone and text-based scams. Do not share your personal information with anyone unless you are confident about who you are sharing it with.
- when on a webpage asking for your login credentials, take note of the web address or URL (‘Uniform Resource Locator’). The URL is located in the address bar of your web browser and typically starts with https://.
- if you are suspicious of the URL, do not provide your login details. Contact the entity through the usual channels to ensure you are logging into the correct web page. Please note, AIA will never contact you to ask for your username or password.
- enable multi-factor authentication for your online accounts where possible, including your email, banking, and social media accounts.
- ensure you have up-to-date anti-virus software installed on any device you use to access your online accounts.
- follow the Australian Competition and Consumer Commission’s Scamwatch guidance for protecting yourself from scams here: https://www.scamwatch.gov.au/get-help/protect-yourself-from-scams/
- for more information, you can visit the OAIC’s tips for further guidance about protecting your identity: https://www.oaic.gov.au/privacy/your-privacy-rights/tips-to-protect-your-privacy/
Additional general resources on identity and cyber security support can be found here:
- https://www.oaic.gov.au/privacy/data-breaches/data-breach-support-and-resources/
- https://www.idcare.org/
We would again like to sincerely thank the community for their ongoing support as we continue our important work to advance human rights across Australia and around the world.
