On 30 August 2024, the Australian Cancer Research Foundation (ACRF) informed its donors about a significant data security incident. According to the notification sent via email, a malicious actor gained unauthorized access to the charity’s network through a compromised email account. The breach was facilitated by a fraudulent email from an individual known to the charity, who had themselves been targeted by cybercriminals. This breach granted temporary access to the ACRF’s network and several employee email accounts.
The ACRF’s CEO Kerry Strydom detailed in the email that the security issue has been resolved. However, the charity warned donors about the potential exposure of their personal information. Compromised data may include contact details, donor IDs, payment histories, and personal information shared via email, such as stories or health details. While it is possible that bank and credit card details shared in writing before 2023 could be affected, the ACRF assured that data used through their secure payment gateway was not compromised.
In response to the breach, the ACRF has enlisted the help of cybersecurity experts and informed the Office of the Australian Information Commissioner, NSW Police, and the Australian Cyber Security Centre. The charity is actively monitoring both the deep and dark web to detect if any compromised data is shared online. To date, there is no evidence that the affected data has been published or disseminated.
The Australian Cancer Research Foundation, established in 1984, has been a key player in supporting cancer research, awarding over $184 million in grants to various Australian research institutions. This breach underscores the importance of robust cybersecurity measures and the need for vigilance in protecting sensitive donor information.
Reference:
