This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Oxfam Australia

Summary

Oxfam Australia suffered a significant data breach in early 2021 affecting approximately 1.7 million supporters and donors. The breach exposed personal information including names, contact details, and dates of birth. Following an OAIC investigation, Oxfam entered into an enforceable undertaking to improve its privacy and data security practices.

What Happened

Oxfam Australia discovered unauthorised access to its systems in February 2021. The attackers accessed a database containing personal information of supporters, donors, and individuals who had engaged with the charity through campaigns, petitions, or donations.

The breach compromised approximately 1.8 million records containing personal information collected over many years of Oxfam's operations in Australia. The incident was first detected when Oxfam became aware of suspicious activity on its systems.

Following the breach, Oxfam Australia engaged cybersecurity experts to investigate the extent of the compromise and worked with the OAIC to assess privacy impacts.

Impact on Individuals

The breach exposed personal information of 1.7 million Australians who had supported Oxfam's humanitarian work, including:

  • Contact information: Names, email addresses, phone numbers, postal addresses
  • Demographic data: Dates of birth
  • Engagement history: Records of donations, petition signatures, campaign participation

Affected individuals faced risks of:

  • Targeted phishing: Scammers could impersonate Oxfam to solicit fake donations
  • Identity theft: Combination of personal details could be used for fraud
  • Privacy violation: Exposure of charitable giving preferences and activism

Organisational Response

Oxfam Australia notified affected individuals and engaged independent cybersecurity experts to conduct a thorough investigation. The organisation worked cooperatively with the OAIC throughout the investigation.

In response to the OAIC's findings, Oxfam entered into an enforceable undertaking committing to:

  • Implement enhanced information security measures
  • Conduct regular security audits and penetration testing
  • Develop and maintain an incident response plan
  • Provide privacy and data security training to staff
  • Appoint a dedicated privacy officer

The OAIC's acceptance of the enforceable undertaking provided a pathway for Oxfam to demonstrate improved data protection practices without financial penalties.

OAIC Enforceable Undertaking (2021-2022)

The Office of the Australian Information Commissioner investigated the breach and accepted an enforceable undertaking from Oxfam Australia. The undertaking required Oxfam to implement comprehensive improvements to its privacy and data security framework, including regular independent audits and staff training programs.

Verification Source: View original statement