Full Report
Oxfam Australia has suffered a data leak impacting 1.8 million donors.
Analysis Summary
# Incident Report: Oxfam Australia Donor Data Leak
## Executive Summary
Oxfam Australia suffered a significant data breach resulting in the exposure of data belonging to approximately 1.8 million donors, campaign participants, and charity shop customers. The compromised data, which included Personally Identifiable Information (PII), was later discovered for sale on a dark web hacker forum. Oxfam confirmed the breach and alerted affected parties to potential risks like phishing.
## Incident Details
- Discovery Date: Around March 8, 2021 (Confirmed by BleepingComputer discovering data for sale)
- Incident Date: Undisclosed, preceding the discovery date.
- Affected Organization: Oxfam Australia
- Sector: Non-Profit / Charity / Aid and Development
- Geography: Australia (Organization base)
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Unknown (Implied external compromise of database/storage)
- Details: Attackers successfully gained access to Oxfam Australia’s supporter database.
### Lateral Movement
- Details: Not explicitly detailed in the source, but necessary to access and exfiltrate the donor database.
### Data Exfiltration/Impact
- Details: Personally Identifiable Information (PII) including names, addresses, emails, phone numbers, and donor histories were compromised. There is fear that bank account numbers and partial credit card data were also leaked, though this remained unconfirmed.
### Detection & Response
- Date/Time: Discovery occurred when BleepingComputer found the data posted for sale on a dark web hacker forum.
- Response Actions: Oxfam Australia issued an official statement confirming the incident, acknowledging the potential scope (all campaign participants and shop customers), and alerted victims to heightened risks of phishing and telephone scams.
## Attack Methodology
*Note: Specific technical details were not provided in the source; this section summarizes the presumed minimum required for the reported outcome.*
- Initial Access: Unknown vulnerability exploitation or compromised credentials.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown.
- Credential Access: Unknown.
- Discovery: Unknown reconnaissance techniques used to locate the supporter database.
- Lateral Movement: Likely occurred to target the specific data stores relating to donor records.
- Collection: Gathering PII records from the database.
- Exfiltration: Transferring 1.8 million records off the network.
- Impact: Unauthorized publication/sale of sensitive customer data.
## Impact Assessment
- Financial: Unknown (Though potential costs related to response and notification).
- Data Breach: 1.8 million donor records. Data included names, addresses, emails, phone numbers, donor histories, and potentially bank account numbers and partial credit card data.
- Operational: Minimal operational disruption indicated, primary impact was data loss compliance and reputation.
- Reputational: Significant reputational damage due to the breach of sensitive data from a charity organization. Victims are at high risk of targeted scams.
## Indicators of Compromise
*Note: No specific IoCs were provided in the article.*
- Network indicators: [None provided]
- File indicators: [None provided]
- Behavioral indicators: Data staging and large-scale exfiltration from donor database repositories.
## Response Actions
- Containment measures: Unknown, but would have included securing the breached database(s) and systems.
- Eradication steps: Unknown (e.g., password resets, patching exploited vulnerability).
- Recovery actions: Issuance of public statements and advising affected individuals on increased risk of phishing/scams.
## Lessons Learned
- The organization discovered the breach via external security reporting (BleepingComputer) rather than internal monitoring, suggesting potential blind spots in detection capabilities.
- Storing highly sensitive customer and donor financial data creates severe risk, even for non-profit organizations.
- The potential scope (1.8 million individuals) necessitates robust breach notification procedures.
## Recommendations
- Conduct a thorough forensic investigation to determine the initial vector and timeline of access.
- Implement enhanced database monitoring and access controls, especially for PII and financial data stores.
- Review and improve external monitoring/threat intelligence feeds to ensure early detection of data being listed on dark web forums.
- Immediately rotate high-privilege credentials associated with the affected systems.