Amnesty International Australia waited four months to disclose a data breach that occurred on December 3, 2022. Hackers accessed low-risk information related to donations made in 2019, but the charity claimed that none of the data was legally required to be disclosed to the Office of the Australian Information Commissioner, or to the affected donors, as it was already public, incomplete or had scant potential to cause damage.
The charity has subsequently secured its IT systems and investigated the incident. It did not identify who was behind the attack or its motivation.
The information commissioner’s office, which is investigating a huge data breach at private health insurer Medibank, has been contacted for comment on Amnesty’s disclosure. Medibank announced it has received a report on the attack from Deloitte, following an external incident review.
It has refused to make the document public but said it would share lessons with other businesses. Amnesty’s disclosure that donor data was taken suggests a commercial aim behind the data breach.
Australia has faced a wave of major cyber attacks in the past 12 months, beginning with telecommunications firm Optus and continuing with Medibank and lender Latitude Financial Services.
The federal government has run a series of exercises to prepare crucial sectors of the Australian economy for the attacks, and it has increased penalties for companies found to be culpable for the worst data breaches. Amnesty International Australia said it takes cybersecurity seriously and has improved its systems to prevent future attacks.
