IT Brief Australia - Technology news for CIOs & IT decision-makers
Story image
Charity breach dark web leak: A lesson in cyber response
Mon, 18th Sep 2023

The recent Pareto Phone hack - which has apparently led to thousands of Australian charity donors' details being leaked onto the dark web - has generated fiery debate in recent days. Firstly, because of the sensitive nature of the industry and the wide-scale impact of the attack. But also due to the way in which the breached fundraising firm has responded.

The attack, which affected more than 70 charities, seemingly occurred months ago in April - and Pareto Phone has attracted criticism for taking four months to make this information public.

However, it is worth noting that admitting to a breach too quickly can also cause problems. 

Just look at what happened with WannaCry - one of the most damaging cybercrime attacks in history. It spread like wildfire because a vulnerability was published - and 1,000 businesses were then targeted, creating $4 billion in damages worldwide.

The problem is that the pace of cyber attacks and the demands on defence are intensifying. The US Securities and Exchange Commission recently announced new regulations that require affected firms to report breaches after just four days, whilst newly released research has also revealed that attacker dwell times have shrunk from 10 to eight days in the first seven months of 2023 (with ransomware attacks down to just five days).

So, this brings us to the difficult question: How long is too long when reporting a breach?

In the case of Pareto - they made a decision to keep the details of the breach quiet. Seemingly, they didn't believe there was a data leak to the dark web at the time of the breach, so they made a judgement call - and it turned out to be the wrong one.

They waited too long in the sense that they possibly thought the impact was less than it was. But they should tell people once they've remediated the fix and made sure it can't happen again. Once it isn't going to put someone else at risk, they should inform.

That's always your answer in these scenarios: Fix the issue, seal the leak, make sure no one else can be impacted by you sharing the knowledge, then inform.

The Pareto case also demonstrates the importance of data cleanup. If you only have to keep data for a certain amount of time, get rid of it as soon as that expiry date has arrived. Otherwise, you're just accumulating useless, extra data that doesn't need to be leaked.

Whenever a company is working with vendors, it should look at their data retention policies, examine their qualifications and ask the question: How long will you store my data, and what will you do with it?

Due diligence when you're about to use a new vendor is very important. By reading through contracts carefully and making informed decisions, you can mitigate risks. Use people who actually have contract law knowledge to go through.

Some companies store data for way too long. Why keep it? If your best friend changes their phone number, do you still need their old one? When it's no longer relevant, get rid of that data.

If you do get breached - hackers could get months or even years' worth of information that they didn't need.  And you should never let hackers get any more than they should.

In the instance of Pareto, we don't know if there's been a lack of data cleanup. We don't know the terms of their data retention, but a general rule is that you should never keep data longer than you need to.

As for those citizens who've been breached - they're more prone to phishing scams now, so it's just a case of them exercising caution. Follow the big rules: Don't click on emails and links you don't trust, and always go to any site directly rather than clicking a link in the email.

Another piece of advice worth following is opening multiple email accounts - including one that's basically for junk. Having a separate account for signing up for things you don't really want to give away your personal info to is useful, as that way, you only need to go into that email to verify your account.

And, of course, avoid using the same password for everything. If you're using an identical one for multiple accounts and a hacker gets their hands on it, they've got everything.

It's tricky in today's world: Every time you send an email, you're opening yourself up to potential hacks. But even those who have been affected by the Pareto incident - or any others - can stay safe by taking the right precautions.