On 10 August 2023 we were informed that one of our previous service providers, Pareto Phone, experienced a cyber incident that impacted ChildFund Australia and over 70 charities across Australia.
Pareto Phone is a telemarketing company that provided phone and other services to Australian charities. ChildFund Australia engaged Pareto Phone’s services between 2014 and 2018.
In April 2023, Pareto Phone experienced a cyber incident which resulted in access to their systems by an unauthorised third party. Pareto Phone investigated the incident but could not tell what data may have been accessed by that third party at that time. Pareto Phone took steps to contain the incident and protect its systems from ongoing access.
On 8 August 2023, the unauthorised third party published (on its external dark web leak site) a listing of the data that it claimed to have obtained from Pareto Phone’s systems. On 10 August 2023 we were informed by Pareto Phone that ChildFund Australia and over 70 charities across Australia were affected by the cyber incident at Pareto Phone.
Subsequently on 14 August 2023, the unauthorised third party published the actual data on the dark web, but we understand the documents have only been accessible intermittently.
Since August, our team has been working closely with Pareto Phone and our own external cyber security advisors to conduct a further investigation into precisely what data has been impacted.
We deeply regret that some of our supporters’ information has been compromised by the breach of Pareto Phone’s systems and are notifying our valued supporters who have been affected by the recent cyber-attack.
Frequently Asked Questions
Since becoming aware of the incident, our team has worked closely with Pareto Phone and engaged our own external cyber security advisors to conduct a thorough and detailed investigation to determine what data has been impacted.
We are now notifying impacted individuals so that you can take action to reduce the potential impacts. We will work closely with our country programs to inform impacted sponsored children and their families, so they are aware of the breach and to remind them of online safety precautions. ChildFund Australia is disappointed that one of its previous partners suffered a cyber incident. We have been taking all reasonable steps to investigate the incident and protect our impacted individuals.
For more information, please contact the ChildFund Australia Supporter Relations team on 1800 023 600 or email info@childfund.org.au
Once aware of the unauthorised access to data, we understand Pareto Phone worked urgently to contain the threat and investigate. Pareto Phone also engaged external cyber security experts to assist with their response to the incident and is working with these experts to ensure the ongoing safety and security of its systems.
Pareto Phone prioritised data scans to identify whether payment card information (PCI) had been exposed. Pareto Phone notified ChildFund Australia on 11 August that no PCI information had been identified in ChildFund Australia files.
Pareto Phone reported the incident to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) and has been cooperating with their investigations.
We remind our donors to remain vigilant and alert to any fraudulent or suspicious activity, particularly any scam activity from anyone purporting to be from ChildFund Australia. If you receive any communications from ChildFund Australia that you are unsure about, you can call us directly on 1800 023 600.
Pareto Phones have partnered with IDCARE, Australia’s national identity and cyber support community service. They have expert Case Managers who can work with you in addressing concerns in relation to personal information risks and any instances where you think you information may have been misused. IDCARE’s Case Managers will work with you to design and implement a tailored individual risk assessment and response plan.
IDCARE’s services are at no cost to you. If you wish to speak with one of their expert Case Managers, please complete an online Get Help form at www.idcare.org or call 1800 595 160. Note that IDCARE specialist Case Managers are available from 9am-5pm AEST Monday to Friday excluding public holidays. When engaging IDCARE please use the referral code PAPHCH23.
You should always exercise good password practice (see here for some guidance from the Australian Cyber Security Centre: https://www.cyber.gov.au/protect-yourself).
Further general information on online safety, cyber security and helpful tips to protect yourself and respond to scams, identity theft and other online risks, can be found at
- https://www.cyber.gov.au/threats
- https://www.oaic.gov.au/privacy/your-privacy-rights/ways-to-protect-your-privacy
- https://www.scamwatch.gov.au/
If you would like more information about how ChildFund Australia protects the personal information of our donors and supporters; please visit: Privacy Policy – ChildFund Australia
Upon being notified of the breach on 10 August 2023, our team has worked closely with Pareto Phone as well as engaged our own external cyber security advisors to conduct a thorough and detailed investigation to determine what data has been impacted.
This has meant determining the type of information accessed as well as the risk implications for our donors and supporters.
ChildFund Australia has never collected personal identification data such as passport numbers and drivers’ licenses from its supporters and donors. In addition, we are not aware of any Supporter financial information being involved in the incident.
There has also been no impact to ChildFund Australia’s systems.