Thousands of donors to Australian charities have had their personal information exposed online.

The breach unfolded after cybercriminals targeted Pareto Phone, a Brisbane-based telemarketing firm responsible for collecting donations from supporters on behalf of charities including the Cancer Council, Canteen, and The Fred Hollows Foundation.

Reports say more than 70 Australian charities used Pareto Phone's services, but not all of them were affected by the breach.

The leak raises serious concerns about the company's data retention practices. 

One charity alleged that Pareto Phone held onto donor information for as long as nine years without their knowledge, potentially violating the Australian Privacy Principles, which mandate the destruction or de-identification of personal data once it's no longer needed for its original purpose.

Several charities have confirmed that donor data, including names, dates of birth, addresses, email addresses, and phone numbers, has been exposed on the dark web. 

The Fred Hollows Foundation reported that 1,700 of its donors were affected, expressing deep disappointment in Pareto Phone's handling of their data. 

Médecins Sans Frontières (MSF), another charity, accused Pareto Phone of breaching Australian privacy laws and pledged to work with regulators to protect donor data.

Canteen, an organisation supporting young cancer patients, disclosed that 2,600 donors from 2020 and 2021 had their information compromised but assured donors that no financial data was accessed. 

The Cancer Council, while waiting for clarity on the extent of the breach, has confirmed that only a “very small number” of their donors were affected and that it has severed ties with Pareto Phone.

Pareto Phone, in response to the breach, is collaborating with forensic specialists to analyse the compromised data. 

CEO Chris Smedley issued an apology and said that, as of now, no identity documents such as tax file numbers, driver licences, or passports had been found in the breach.

The Australian government has expressed concern over the breach, with the Australian Signals Directorate's Australian Cyber Security Centre saying it is providing assistance. 

The four-month gap between the attack and the leak suggests that more data may be exposed in the future. 

Cybersecurity experts caution that the data already on the dark web might not represent the entirety of what the criminals possess.

The National Cyber Security Coordinator has been notified of the breach.