Everything You Need to Know About Oxfam Australia's Cyber Attack

In a statement posted on the 1 March 2021, Oxfam Australia announced that its supporters' information in one of its databases was unlawfully accessed by an external party on the 20th of January 2021.

Oxfam, the large not for profit, community based-aid and development organisation, has confirmed that it's databases were hacked and data was unlawfully accessed by an external party. 

What Happened

Cyber criminals gained access to files that contained data of supporters who signed petitions, took part in a campaign or made donations and/or purcahses. 

Passwords were not compromised however, names, addresses, birthdates, email addresses, partial credit card numbers, phone numbers, gender and donation history may have been accessed. 

All affected parties were contacted directly by Oxfam on the 4th of February 2021 and records have been added to the Have I Been Pwned website, a search engine that allows you to see if your information has been leaked in a data breach. 

'Chief Executive Lyn Morgain said that Oxfam Australia immediately launched the investigation and engaged industry-leading forensic IT experts to assist after being alerted on 27 January 2021 to a suspected data incident.'

'The database includes information about supporters who may have signed a petition, taken part in a campaign or made donations or purchases through our former shops.

While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.

What is a Cyber Breach?

It is considered a cyber breach when part of your business is accessed unlawfully. This could be an ex employee logging in, or a hacker gaining access to your systems.

Notification Requirements

Did you know if you have cyber breach you may be legally required to notify the Australian government?

Failure to notify can result in fines of $360,000 for individuals and $1.8million for businesses. It's important to have the right measures in place to identify if you have had a breach, and if you do, what steps to follow to notify the right parties.

We recommend creating an Incident Response Plan for your business, your company lawyer, IT team and leadership teams should be involved in the developing the plan. Once it is created we recommend doing a practice run so in the event that you do have a breach, you are well prepared to invoke your plan. 

Check out our free template to get started.

How Can I Protect Myself?

For individuals there are a lot of things you can do that don't require a lot of investment. Most computers today come with the ability to encrypt, check out our guide on how to set up encryption. Choose an anti virus platform that is right for you, and has extra features, checkout our guide to buying the right antivirus.

Turn on two factor authentication for your social platforms - Twitter, Tik Tok, Instagram, Facebook, LinkedIn, Gmail.

Use strong & different passwords for all of your accounts and remember them by using a password manager like LastPass.

Besides the technology read through the government's little black book of scams to get familiar with what a scam email or website could look like. Your best defense is arming yourself with the knowledge on how to identify something malicious. 

How Can I Protect My Business?

Education and proactive prevention are key. Ransomware commonly enters a business through malicious emails so, having an email filtering and ‘containerisation’ platform in place is step one.

Ensuring you are in compliance with the Australian Government's ASD Essential 8 security recommendations is your first step. We have a cybersecurity team that was built with the ASD Essential 8 principles at it's core and would love to secure your business.  

Technology is advancing all the time and there are some relatively inexpensive and 'quick wins' you can implement to be protected:

- Audit and create a list of all your business applications, and their security features (you can use this template to get the job done)

- Foster a cybersecurity culture in your business

- Turn on encryption for all of your computers 

- Educate your team on how to identify a scam

- Get familiar with the ASD Essential 8

- Follow these 5 steps to stay safe online

- Check out this post on keeping your remote workforce safe

- Talk to us about dark web scanning

- Check your insurance to see if you have cybersecurity insurance included

Cybersecurity is talked about a lot today, and for a good reason. It can be really easy to fall victim to a cyberattack, it's not just big companies that are targeted. Your best defense is education and awareness, with technology as your backup, knowing how to identify something malicious is the best way to keep you and your business safe online. 

We have a cybersecurity team that can help you assess whether you have the right measures in place, and what else you can do to stay safe online, get in touch to learn more.