This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Australian Cancer Research Foundation

Summary

The Australian Cancer Research Foundation (ACRF) disclosed a data security incident on 30 August 2024 after detecting unauthorized access to its network and employee email inboxes. The breach occurred when an employee responded to a fraudulent email from a known contact who had themselves been compromised. Donor information including contact details, payment histories, and potentially credit card details may have been exposed.

What Happened

ACRF received a fraudulent email that appeared to come from someone known to the organization who had themselves been the victim of a cyber attack. An employee responded to this email, which allowed the unauthorized third party to gain temporary access to ACRF's network, including the email inboxes of several employees. The attackers could access any information contained in those email accounts, potentially going back many years.

Impact on Individuals

The breach exposed sensitive donor information including:

  • Contact details and donor IDs
  • Payment histories and donation details, including BPay IDs
  • Personal experiences, stories, and health information shared with ACRF
  • Potentially credit card and bank account details if provided in writing prior to 2023

Affected donors should:

  • Monitor bank and credit card statements for unauthorized transactions
  • Be extremely alert for phishing emails exploiting their relationship with ACRF or health information
  • Watch for scams targeting cancer patients or their families using stolen personal stories
  • Consider canceling and replacing credit cards if provided to ACRF before 2023
  • Place fraud alerts on financial accounts

The exposure of health information and personal cancer-related stories is particularly sensitive and could enable highly targeted emotional manipulation scams.

Organisational Response

ACRF CEO Kerry Strydom contacted donors on Friday afternoon, 30 August, to inform them of the data security incident. The organization engaged cyber security professionals to assist in the response. ACRF confirmed that credit card and bank details used via their payment gateway/donor portal after 2023 were not compromised, as these are processed through secure third-party systems. The foundation worked to notify affected donors and implement security improvements to prevent similar incidents.

Verification Source: View original statement