We have become aware of a cyber incident that has impacted some of our valued supporters and their personal information. Those impacted have been contacted directly.
This incident was experienced by one of our former suppliers, Pareto Phone Pty Ltd. Pareto Phone is a telephone fundraising services provider. The incident is limited to 208 people who were contacted in 2015 by Australian Breast Cancer Research, a charity of The Hospital Research Foundation Group.
The Hospital Research Foundation Group’s own networks and servers have not been affected in any way.
What has happened?
Pareto Phone recently experienced a cyber incident which resulted in an unauthorised third party gaining access to its data systems. The incident itself occurred in April 2023, however it was brought to our attention in August 2023 when Pareto Phone advised us that some data had been published on the dark web. As soon as we were informed by Pareto of the incident in August 2023 we launched an investigation.
A detailed analysis was conducted by Pareto Phone and external forensic experts. The information that Pareto Phone has now provided has enabled us to confirm that some of our supporters have been impacted.
At the outset, we apologise that your personal information has been impacted in this incident. Please be assured that protecting your personal information is our priority, and we have taken this matter very seriously.
Impacted personal information
It has now been identified that only the following types of personal information (from 2015) are likely to have been extracted from Pareto Phone’s network by an unauthorised third party (this may vary from person to person):
- Suburb and Postcode
- Email address
- Date of birth
Investigations have confirmed that no bank account or credit card information was included in the files held by Pareto Phone.
What actions has Pareto Phone taken?
Once aware of the unauthorised access to data, we understand Pareto Phone worked urgently to contain the threat and investigate what occurred. Pareto Phone also engaged external cyber security experts to assist with their response to the incident and is working with these experts to ensure the ongoing safety and security of its systems.
Pareto Phone has informed us that it has reported the incident and continues to work closely with both the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
What steps should you take?
We recommend that you take the following general precautionary steps to reduce the risk of harm associated with access to your personal information:
- Remain alert to increased scam activity or any unsolicited communications via email, post, SMS or phone.
- Do not click on any suspicious links or provide your passwords or any personal information.
- Consider changing your online account passwords.
Further information on online safety, cyber security and helpful tips to protect yourself and respond to scams, identity theft and other online risks, can be found at https://www.cyber.gov.au/threats
If you need further assistance beyond the recommendations above, Pareto Phone are making available to you the services of IDCARE, Australia’s national identity and cyber support community service. Pareto Phone has partnered with IDCARE specifically for the purpose of providing impacted individuals with tailored and specific advice, beyond the general advice that is ordinarily available to members of the public.
IDCARE have expert Case Managers who can work with you in addressing concerns in relation to personal information risks and any instances where you think your information may have been misused. IDCARE’s services are at no cost to you.
If you wish to speak with one of IDCARE’s Case Managers please complete an online Get Help form at www.idcare.org or call 1800 595 160. IDCARE’s Case Managers are available from 9am-6pm AEDT Monday to Friday excluding public holidays. When engaging IDCARE please use the referral code PAPHCH23.
Other charities have also been caught up in this incident with Pareto Phone and you may have received a separate notification from another charity. If another charity has identified further breaches of your personal information, please follow their advice.
Please rest assured that The Hospital Research Foundation Group employs stringent security measures and protections to safeguard our systems and stakeholder data. These include cyber threat detection, data encryption and strict authentication protocols.
We apologise for any inconvenience or concern this incident may cause you. Your trust is very important to us, and we are committed to protecting the privacy and security of your personal information.
If you would like any more information about this incident or have any questions, please contact us via email at [email protected] or by calling (08) 8445 2453.