Following an independent IT forensic investigation, Oxfam Australia announced today that it has found that supporters’ information on one of its databases was unlawfully accessed by an external party on 20 January 2021.
The database includes information about supporters who may have signed a petition, taken part in a campaign or made donations or purchases through our former shops.
While the investigation found that no passwords were compromised, the database unlawfully accessed by the external party for the majority of supporters included names, addresses, dates of birth, emails, phone numbers, gender and in some cases, donation history. For a limited group of supporters, the database contained additional information, and Oxfam is contacting these supporters directly to inform them of the specific types of information relevant to them.
Oxfam Australia alerted its supporters of the potential risk on 4 February 2021 and has now begun notifying all supporters about steps that they can take to protect their information.
Oxfam Australia has notified and is working with industry regulators, including the Office of the Australian Information Commissioner and Australian Cyber Security Centre.
Chief Executive Lyn Morgain said that Oxfam Australia immediately launched the investigation and engaged industry-leading forensic IT experts to assist after being alerted on 27 January 2021 to a suspected data incident.
“Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements,” Ms Morgain said. “We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”
Given the nature of the information accessed, there may be risks relating to scam communications via unsolicited emails, phone calls or text messages. We recommend people remain vigilant and refrain from actioning unsolicited requests to provide information, including actioning links and opening attachments. Scammers can seem quite believable and impersonate government, police and business, including making their telephone numbers and email addresses look legitimate. If in doubt, people are encouraged to make their own enquiries via official and publicly reported communication channels.
Ms Morgain assured Oxfam Australia would continue to work with relevant authorities and treat the incident with the utmost seriousness on behalf of its supporters.
“The privacy and protection of our supporters has been our paramount consideration during this process, which has involved a thorough and complex investigation,” Ms Morgain said
“Oxfam supporters are at the heart of our organisation and their confidence is critical to our ongoing work in tackling the inequality that causes poverty around the world.
“We sincerely regret this incident has occurred.”
