This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Pareto Phone

Summary

Brisbane-based telemarketing firm Pareto Phone was attacked by the LockBit ransomware group in April 2023, resulting in the theft and dark web publication of 150GB of data affecting approximately 50,000 donors across 70 Australian charities. The breach was not disclosed to affected organisations until August 2023, and the stolen data included donor information dating back more than 15 years. The incident raised serious questions about data retention practices, with many charities unaware that Pareto had kept such historical donor records.

What Happened

In April 2023, the LockBit ransomware group attacked Pareto Phone's systems and exfiltrated 150GB of data. LockBit listed Pareto Phone on its dark web leak site on 31 July 2023, threatening to release the data on 7 August if ransom demands were not met.

Charities were first notified of the breach on 8 August 2023—four months after the initial attack. On 14 August 2023, Pareto Phone informed organisations that the unauthorised party had published donor information on the dark web.

Impact on Individuals

The breach affected approximately 50,000 donors across 70 charitable organisations. Among the worst hit were WWF Australia (20,500 donors), the Australian Conservation Foundation (13,500 donors), and Plan International Australia (8,000 donors).

The compromised donor data dated back more than 15 years in some cases, raising serious concerns about data retention practices. Médecins Sans Frontières (MSF) had not engaged Pareto since 2018, while The Fred Hollows Foundation last worked with the company in 2013 and 2014, yet Pareto still held their donors' information.

The retention of such historical data violated government guidelines requiring data to be destroyed or de-identified when no longer being used. Affected donors faced potential risks from phishing attacks, scams, and unwanted solicitations using the stolen contact information.

Organisational Response

Pareto Phone notified affected charities in August 2023, four months after the April breach. The significant delay in notification left organisations and donors unaware of the risk for an extended period.

The Office of the Australian Information Commissioner (OAIC) launched an investigation into Pareto Phone amid accusations of failing to meet Australian privacy standards, particularly regarding data retention and breach notification timelines.

Just months after the breach, Pareto Phone collapsed, leaving more than 100 workers unemployed. The company's failure highlighted the devastating consequences of inadequate cybersecurity practices and the cascading impact on employees, clients, and affected individuals.

Verification Source: View original statement