Data breach impacts non-profit organization’s operations; thousands of people affected

An Oxfam Australia representative confirmed that its IT area was affected by a data breach incident possibly caused by unauthorized access to a database containing information from thousands of people interested in the causes of this organization. Oxfam is a confederation of 19 non-governmental organizations from various countries, carrying out humanitarian work in around 90 countries.

In a statement, the organization mentioned that an unidentified actor gained access to a protected database on January 20. Oxfam’s teams would have detected the intrusion a week later, hiring a forensic security firm to investigation the incident.

Early reports indicate that the compromised database includes multiple details about the people who signed a petition or participated in donation campaigns on behalf of the company. Among the details presented are full names, addresses, telephone numbers, email addresses, gender, and dates of birth and in some cases, the amount of donations made.

The non-governmental organization also mentions that affected persons are already being notified and will receive guidance on the security measures that need to be taken in order to prevent subsequent incidents: “The incident involves additional information from a limited number of our supporters, Oxfam is communicating with affected persons to inform them about this situation,” the statement adds.

Moreover, in compliance with the Australian Notifiable Data Breach (NDB) Law, Oxfam had to notify the Australian Information Commissioner’s Office and the Australian Cybersecurity Centre of the incident. Under the NDB, organizations generating annual revenues of more than AU $3 million must report any cybersecurity incidents within one month of detection. In the event of non-compliance, affected organizations may face severe financial penalties.

Oxfam Australia believes that there will be no inconvenience with its handling and response to this incident: “We have maintained an open and efficient communication with our partners and the relevant authorities since the start of the investigation. Finally, the organization asks all its members and supporters to remain alert to the potential deployment of a phishing campaign using the compromised information to try to take advantage of affected users.

What do you think of this incident? Do you know of other nonprofits affected by cybersecurity issues? To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.