Full Report
Oxfam Australia has suffered a data leak impacting 1.8 million donors.
Analysis Summary
# Incident Report: Oxfam Australia Data Leak
## Executive Summary
Oxfam Australia suffered a significant data breach that exposed the personal information of approximately 1.8 million donors, campaign participants, and customers. The compromised data, which included PII and potentially sensitive financial details, was discovered being sold on a dark web hacker forum. The primary impact is a heightened risk of phishing and scams for the affected individuals.
## Incident Details
- **Discovery Date:** Unknown (Reported March 8, 2021, discovery by BleepingComputer)
- **Incident Date:** Pre-March 8, 2021
- **Affected Organization:** Oxfam Australia
- **Sector:** Non-profit / Charity / Aid and Development
- **Geography:** Australia (Organization base)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown
- **Vector:** Not explicitly detailed in the provided text. Implied unauthorized access to their database system.
- **Details:** Attackers gained access to a database containing supporter demographics and transactional history.
### Lateral Movement
- **Details:** Not detailed. The focus is on the exfiltration from the compromised database.
### Data Exfiltration/Impact
- **Details:** Personally Identifiable Information (PII) was exfiltrated, including names, addresses, emails, phone numbers, and donor histories. There is suspicion that bank account numbers and partial credit card data were also leaked.
### Detection & Response
- **How it was discovered:** Discovered by BleepingComputer and subsequently posted for sale on a dark web hacker forum.
- **Response actions taken:** Oxfam Australia issued an official statement acknowledging the incident and advising affected individuals of potential risks (phishing/scams).
## Attack Methodology
- **Initial Access:** Unknown (Database Server Compromise assumed)
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed, though access to donor financial data suggests credential compromise or database access.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of PII and donor transaction records.
- **Exfiltration:** Data posted for sale on a dark web hacker forum.
- **Impact:** Exposure of sensitive supporter information, leading to highrisk for subsequent fraud targeting victims.
## Impact Assessment
- **Financial:** Not quantified, but potential costs associated with remediation, notification, and potential fines.
- **Data Breach:** Personally Identifiable Information (Names, addresses, emails, phone numbers, donor histories). Potential exposure of bank account numbers and partial credit card data for approximately 1.8 million records.
- **Operational:** Not detailed, but an organizational statement confirmed the scope impacted all campaign participants, charity shop customers, and donors.
- **Reputational:** Negative press due to a breach affecting a high-profile charity organization.
## Indicators of Compromise
- **Network indicators - defanged:** Not available.
- **File indicators:** Not available.
- **Behavioral indicators:** Sale of breached data on a dark web forum.
## Response Actions
- **Containment measures:** Not detailed (Assumed database access restricted).
- **Eradication steps:** Not detailed.
- **Recovery actions:** Not detailed (Focus was on advising affected users).
## Lessons Learned
- The sensitivity of donor data, even for non-profits, warrants robust security measures.
- The reliance on former systems (implied by the mention of data from former charity shops) can introduce unseen risks.
- Timely public disclosure and strong user awareness campaigns are crucial following a confirmed breach.
## Recommendations
- Conduct a thorough forensic investigation to confirm the full scope of financial data exposed.
- Immediately review and overhaul security posture, especially concerning database access controls and segmentation.
- Implement enhanced multi-factor authentication across all relevant systems.
- Enhance proactive threat hunting to detect data staging or exfiltration that may have preceded the public disclosure.