Written by Staff Writer.
Australian children’s charity The Smith Family was the target of a cyberattack in October that saw the personal data, including partial credit card numbers, of up to 80,000 donors stolen. Smith Family CEO Doug Taylor publicly confirmed the attack on November 22 and said they’ve contacted every donor potentially impacted.
“We recently experienced a cyber incident,” he said in a statement. “The incident involved a Smith Family team member’s email account being temporarily accessed by an unauthorised third party. They were seeking to steal The Smith Family’s funds. Upon discovering this incident, we promptly acted, and the attempts were unsuccessful.”
According to the charity’s financial statements, The Smith Family generated revenues of AUD154.4 million in the 2020/21 financial year, including AUD121 million from donations, corporate support, and bequests. That money supported almost 180,000 children and young people in need around Australia.
While the charity successfully thwarted the attempt to access funds, Taylor said the personal data of “some individuals” may have been accessed. He says that data included names, addresses, contact details, the amount of donation, and in some cases, the first and last four digits of the card used to donate. The CEO stresses that full card numbers, expiry dates, and CCVs were not stolen because the charity does not retain that information.
“We can confirm for those with potential credit or debit card details accessed, no middle digits, expiry date or CVV numbers were accessed as The Smith Family does not store that information in its systems,” Taylor said. “The data accessed in itself cannot be used to make fraudulent purchases.”
He added that The Smith Family does not ask for sensitive personal data such as passports or driver’s license details during the donation process. While the charity is notifying donors, Taylor says so far, there is no evidence of any misuse of donor’s data.
This cyberattack is the latest in a wave of high-profile breaches involving Australian entities. In September, hackers stole the personal data of millions of customers in a major breach at Optus, and hackers continue to release sensitive medical data following an attack on health insurer Medibank Private. The AFP has said a group of “loosely-affiliated” malicious actors based in Russia were behind the Medibank attack. The law enforcement agency has also warned Australian entities to prepare for a series of financially motivated cyber-attacks.
Taylor says following the cyberattack, the charity took immediate steps to secure its IT systems and an investigation involving cybersecurity experts commenced. The CEO says he’s taking the breach extremely seriously and apologised to donors for any “stress or inconvenience caused.”
But he says that the Smith Family cyberattack is unrelated to the Optus or Medibank Private attacks and the charity’s decision not to collect or store identification data or complete credit card details differentiates it from the other incidents. However, Taylor says donors are advised to act to protect their information, be alert for scams, and if evidence of further data breaches or misuse arises, action will be taken and stakeholders informed.
The Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) have also been notified of the incident.
