Friday, August 12, 2016 - Posted by Michael McCulloch
We have today received correspondence from Christians Against Poverty
("CAP") advising of a data breach at the beginning of the month where some systems were compromised in their UK data centre.
In a message on their website Aimee Mai, CEO of CAPI Australia and New Zealand, said:
"On 1 August 2016 CAP UK identified some suspicious activity on the computer systems that are responsible for the development of CAP Australia's systems. This presents a potential security risk for those whose data is held by Christians Against Poverty.
Investigations show that some, but not all, of our systems were compromised last week. As soon as we identified this IT security experts were called in. They confirmed that although the servers and systems were well protected, we have fallen victim to a sophisticated, illegal, external attack.
Unfortunately, this means that details belonging to supporters and clients (both current and former) may have been accessed. These details could include full or partial names, addresses, email, phone numbers, and in some instances, bank account and credit card numbers. I’m really disappointed that this has happened, and we are taking immediate steps to address this issue.
We are in the process of contacting all affected people and have set up a web page to answer many common questions. We also have a dedicated email address and phone line for anyone with further queries or concerns".
We have confirmed that a page has been setup on their website here
that answers some questions and provides an email address and contact number for those that may be concerned about their data.
What we have found alarming is that the correspondence sent to us was dated Tuesday, 9 August which is over a week since the breach was known and subsequent searches of media outlets across Australia has failed to locate any reference to the breach.
So what should you do if there is a breach of personal and / or sensitive information? The Office of the Australian Information Commissioner has some great information that you can download here
Update 16/08/2016: On 2 occasions prior to the release of our August 2016 newsletter we have asked the OAIC for a response to the breach. This was done via email and social media and to date we have not received a response. We will update this blog post if / when a response is received.
Update 25/08/2016: We have now received a written response from OAIC which we have reproduced below:
Thank you for your email.
Data breach notifications are generally provided on a confidential basis and it is not standard practice for the OAIC to make a data breach notification public. The intention of the notification is for the OAIC to review the steps taken to contain, evaluate, notify affected individuals and prevent future breaches and to consider if they are appropriate in the circumstances.
For more information on how the OAIC expects an APP entity to respond to a data breach, please see our DBN Guide.