After a month-long investigation, Oxfam Australia has officially disclosed the data breach incident affecting the PII of its donors. Earlier, it was reported that a hacker has put up a stolen database from Oxfam Australia for sale, which has details including their PII and some banking transactions of about 1.7 million people.
Oxfam Australia Data Breach
Oxfam Australia is a nonprofit organization having millions of volunteers, and raising funds for helping poor countries in Africa, Asia, and the Middle East. The organization was subjected to a security incident in January this year, where one of its databases was stolen by an unknown hacker (group).
This was first reported by BleepingComputer, where it found a hacker was selling the stolen database of Oxfam Australia in a forum. The sample shared was verified to be accurate, and have a full set of information belonging to over 1.7 million people. The details include their names, email addresses, gender, date of birth, and phone numbers.
Also, there is donation history included for most people, which essentially contained the banking transactions like the account name, account number, and partial credit card numbers. When reported to Oxfam Australia, it had started an investigation with independent IT forensic experts on January 27th and detected the breach incident date to be on January 20th, 2021.
It has now officially disclosed the incident to everyone, saying that an unauthorized third-party has accessed one of its databases containing sensitive data of its donors and volunteers. Also, it assured that the stolen database didn’t have their account passwords. Yet, it suggested the potential cyberattacks may be carried on affected people, thus suggested to stay vigilant.
Though Oxfam Australia is informing the affected people now, it’s advised that all of the Oxfam Australia members should change their account passwords as a best security practice. Also, since banking details are included in the incident, users should look out for potential phishing, SMS, and phone calls asking for more sensitive data.