Pareto Phone Data Breach, Staff Data Included
In recent times, a cybersecurity incident that has captured the attention of many involves Pareto Phone, a tele-fundraising company. The company fell victim to a cyber-attack in which sensitive staff data was leaked on the dark web. This article takes a comprehensive look at the data breach, the implications for the employees, and the response of the company.
The Breach: A Brief Overview
Pareto Phone, a tele-fundraising company that collects donations on behalf of numerous well-known charities, was targeted by cybercriminals. Over 320,000 files were stolen from their servers in April and later published on the dark web. The data breach involved highly sensitive documents, including police checks, child support documents, HR incidents, pay negotiations, immigration sponsorship details, COVID vaccination credentials, tax file numbers, passports, and licenses.
The Delayed Reaction: Former Staff Left in the Dark
Despite the data theft occurring in April and the public disclosure of the information a fortnight ago, former staff who were implicated in the data breach allege that they were not informed by the company. The sensitive employee data revealed in the breach were up to eight years old, including outcomes of board meetings and Christmas party photo albums.
Legal Implications: The Employment Records Exemption
Documents related to leave, taxation, banking, union, resignation information and disciplinary action are generally exempt from standard privacy obligations under the Employment Records Exemption part of the Privacy Act. However, according to Andrew Tobin, an employment lawyer at HopgoodGanim, the wide scope of documents leaked in the Pareto Phone data breach means the company might not be protected.
"I genuinely don't think that the exemption is all that clearly applicable to the scenario," Mr Tobin said.
He pointed out that files including passport copies, child support details, individual pay information, and tax file numbers might not be captured by the exemption and could expose the company to litigation under other legislation.
The Company Response: Silence from Pareto Phone
Pareto Phone has not yet responded to the allegations or the data breach itself. The company's silence has raised concerns among the affected parties and cybersecurity experts alike.
Affected Charities: A Growing List
The list of charities involved in the breach has grown. Tens of thousands of donors have had personal details like date of birth and contact details published. In some cases, bank details were also exposed. Charities named in the breach include but are not limited to Hello Sunday Morning, Great Barrier Reef Foundation, Guide Dogs Vic, Taronga Zoo, The Walter and Eliza Hall Institute, RSPCA Qld & NSW, World Vision, Vinnies Qld, ActionAid, UNHCR, Greenpeace, and Peter MacCallum Cancer Centre.
The Privacy Act: Is Reform Needed?
Many employee records held by companies are not protected in the same way as customer data under the Privacy Act. Last year, a report by the Attorney General's Department proposed enhancing privacy protections for private sector employees by amending or removing the employee records exemption.
"Submissions from employers and their representatives express a strong desire to retain the exemption or strengthen it. Submissions from employee representatives and other stakeholders consider that reform is needed," the report said.
However, no action has been taken since. If the exemption were removed, many private sector workplaces would fall short.
The Aftermath: The Potential for Litigation
The data breach has potential legal implications for Pareto Phone. The release of files including passport copies, child support details, individual pay information, and tax file numbers could expose the company to litigation under other legislation.
The Role of Cybersecurity: Lessons to Learn
The Pareto Phone data breach serves as a stark reminder of the importance of robust cybersecurity measures. Furthermore, in the event of a data breach, companies must promptly inform affected parties to mitigate potential damage.
Conclusion: An Ongoing Issue
Data breaches continue to pose a significant threat to companies and individuals alike. The Pareto Phone data breach is a case in point, illustrating the need for stringent cybersecurity measures and timely communication in the event of a breach.