Cyber security incident

As an organisation that conducts fundraising activity to support its mission for girls’ equality, like many charities, Plan International Australia engages with third-party suppliers to help raise critical funds on its behalf.

In April this year, a third-party telephone supplier we use, Pareto Phone, notified us of a cyber-attack and preliminary investigations suggested Plan International Australia was not impacted. However, in August data published on the dark web and Pareto Phone’s ongoing investigation confirmed that some Plan International Australia supporters, the majority of whom last had an interaction with us almost 15 years ago, had some data exposed. This was differing advice to the original assurances we received.

With the support of our cyber-security experts, our internal investigation can now confirm that approximately 8,000 supporters have had personal information such as name and email, address and phone number disclosed. Regrettably, a subset of that data, dating back to 2009, contains expired credit card details. These credit cards have been expired for more than 10 years. We are currently reviewing the data and are in the process of notifying all supporters who have been affected.

As investigations continue, all activity with Pareto Phone has been suspended and we are no longer working with this business. We trusted Pareto Phone, and we were not aware that this data was still held by Pareto Phone. In keeping this data, Pareto Phone has breached Australian Privacy Principles as well as our own agreement for the data to be destroyed. We have made a formal complaint to the Fundraising Institute of Australia in relation to Pareto Phone and this matter.

We are deeply sorry to our supporters and understand this is concerning news. We have begun the process of communicating with impacted individuals to provide them with a full and transparent view of what happened, why and what steps we are taking moving forward.

Plan International Australia takes the privacy of all our supporters very seriously, and we have strong protocols in place to ensure the protection of private information. In this instance, this was not followed by the 3rd party, Pareto Phone. While we have robust security systems in place, the cyber-crime environment is changing rapidly and in response to this, we will be constantly reviewing the systems of our suppliers and strengthening our security systems protocols to protect our supporters.

We are committed to always maintaining open and transparent communications with supporters and we thank them for their understanding – they are the lifeline of our work to see girls valued and empowered so that future generations inherit a brighter, more equitable future. Without their support, our emergency and development programs in some of the world’s most vulnerable countries would not be possible.

Should any of our supporters be concerned or would like to discuss this matter further, we invite you to contact our Donor Care Centre on 13 75 26 or via [email protected].

Susanne Legena
CEO
Plan International Australia

Additional steps impacted supporters can take to protect their information online:

• Remain alert: We suggest you be cautious of any unsolicited communications that may appear to be from us. Cyber-criminals often use breaches as an opportunity to send phishing emails. Always verify the source of emails and avoid clicking on suspicious links or providing personal information.
• Review passwords and protection: You may wish to review your password practice (see here for guidance from the Australian Cyber Security Centre: https://www.cyber.gov.au/protect-yourself). You can also enable multi-factor authentication for your online accounts where possible, such as your banking, email, and social media accounts.
• You can find further information about online safety, cyber security and helpful tips to protect yourself at the Australian Government’s Australian Cyber Security Centre website at: https://www.asd.gov.au/cyber-security or the ACCC’s Scamwatch website at: https://www.scamwatch.gov.au.