The ABC can reveal former staff of hacked tele-fundraiser Pareto Phone were not told for weeks that their highly sensitive employment information was published on the dark web.
More than 320,000 files stolen from Pareto servers by cybercriminals in April were made public on the dark web last month, including tens of thousands of charity donor details.
Highly sensitive documents like police checks, child support documents, pay negotiations, HR incidents, immigration sponsorship details, COVID vaccination credentials, tax file numbers, passports and licences were also swept up in the wide-reaching leak.
Some former staff who were named told the ABC they were not informed by the company, despite the information being stolen in April and published more than a fortnight ago.
Pareto Phone collects donations on behalf of well-known charities, with more than 70 believed to be involved.
Dozens of employees have been named in the data breach.
Some of the sensitive employee information was up to eight years old.
Outcomes of board meetings and Christmas party photo albums were also published.
Do you know more?
If you have any information about this story, contact Jemima Burt.
Many employee records held by companies are not protected in the same way as customer data under the Privacy Act.
The Employment Records Exemption excludes documents pertaining to leave, taxation, banking, union, resignation information and even disciplinary action from standard privacy obligations.
But HopgoodGanim Employment lawyer Andrew Tobin said the scope of documents published in the Pareto Phone breach means the company might not be protected.
He said files including passport copies, child support details, individual pay information and tax file numbers might not be captured by the exemption – and could expose the company to litigation under other legislation.
“I genuinely don’t think that the exemption is all that clearly applicable to the scenario,” Mr Tobin said.
“Was the employer’s lack of attention to security matters and acts, for the purposes of the exemption, directly related to the employment relationship?
“You’d have to sort of think long and hard about that, because it probably wasn’t, it was a lack of diligence,” Mr Tobin said.
Numerous charities have accused Pareto Phone of breaching Australian Privacy Principles for retaining information up to 15 years old, beyond when the customer data was being used.
Last year a report by the Attorney General’s Department proposed to enhance privacy protections for private sector employees by amending or removing the employee records exemption.
“Submissions from employers and their representatives express a strong desire to retain the exemption or strengthen it. Submissions from employee representatives and other stakeholders consider that reform is needed,” the report said.
No action has been taken since.
Mr Tobin said if the exemption was removed, many private sector workplaces would fall short.
“I can point to a lot of employers, the vast, vast majority, who don’t actually have appropriate systems in place for the proper protection of that kind of information,” Mr Tobin said.
He said concerned employees could make their own complaints to the privacy watchdog.
Pareto Phone has not responded to the ABC’s requests for comment.
The list of charities involved has grown.
Tens of thousands of donors have had personal details like date of birth and contact details published, some have contained bank details while others have been largely unaffected.
Those named in the breach now include Hello Sunday Morning, Great Barrier Reef Foundation, Guide Dogs Vic, Taronga Zoo, The Walter and Eliza Hall Institute, RSPCA Qld & NSW, World Vision, Vinnies Qld, ActionAid, UNHCR, Greenpeace, Peter MacCallum Cancer Centre, Catholic Mission, SEDA, Make-a-Wish, Cerebral Palsy Alliance, Mission Australia, Wilderness Society, Black Dog Institute, Water Aid, Leukaemia Foundation, Diabetes NSW, Garvan Research Foundation, Four Paws, Flinders Foundation, Oxfam Australia, Variety NSW, Cancer Council SA, Vic & Qld, Arthritis Qld, Barnardos Australia, Stroke Foundation, Caritas Australia, Starlight Foundation, Youngcare, CBM Australia, Baker Heart and Diabetes Institute, Berry Street, Anglican Overseas Aid, Red Cross, Alfred Foundation, WWF Australia, Australian Conservation Foundation, PLAN Australia, The Heart Foundation, Canteen Australia, Fred Hollows Foundation, Amnesty International Australia, The Children’s Cancer Institute, Médecins Sans Frontières, Save the Children, Bush Heritage Australia, Vision Australia.
Many, but not all, have had donor information stolen.
A number of charities in New Zealand were also involved including Childfund NZ, Canteen NZ, Amnesty NZ.
Stay up to date with Queensland news:
This content was originally published here.
