Public Notice of Cyber Security Incident & FAQ's
Cyber Security Incident - Pareto Phone Data Breach
In 2014 ChildFund NZ partnered with a telemarketing company, Pareto Phone Limited, to conduct fundraising activity on our behalf. Pareto Phone works with various charities providing fundraising services, and may have contacted you around that time for that purpose.
Pareto Phone experienced a cyber incident in April of this year resulting in its systems being accessed by an unknown unauthorised third party. Unfortunately, the affected information includes some personal contact information about donors, including ChildFund NZ donors. ChildFund NZ is one of 70 charities impacted the data breach.
At this stage we are not aware of any harm that has arisen for ChildFund NZ donors as a result of this cyber security incident. However, we wanted to provide the further information below to ensure donors can take steps to protect themselves.
Frequently Asked Questions (FAQs)
When did the cyber incident happen?
The cyber incident affecting Pareto Phone’s systems occurred in April this year. Pareto Phone became aware of it on 8 August 2023 and urgently engaged forensic experts to contain the incident and to carry out a full investigation to ensure the ongoing safety and security of its systems. Pareto Phone notified ChildFund NZ of the incident on 11 August 2023.
What data was accessed?
We have been working closely with Pareto Phones to determine the nature of the data accessed and the specific donors impacted to ensure the accuracy of any notification to affected individuals. Based on Pareto Phones’ investigation, there is no evidence that any of our donors’ financial or banking information has been accessed.
The data accessed included the following contact information in relation to ChildFund NZ donors:-
- Titles and names
- Postal addresses and postcodes
- Phone numbers
- Reference numbers from a previous version of our Customer Relationship Management system (which are no longer in use.)
We understand that Pareto Phone held records of client donors for active and non-active campaigns for fundraising purposes. We have requested that, after its investigation into this incident is finalised, Pareto Phone deletes all ChildFund NZ information
What action has Pareto Phone taken?
Once aware of the unauthorised access to data, Pareto Phone worked urgently to contain the threat and investigate what occurred. Pareto Phone also engaged external cyber security experts to assist with their response to the incident and is continuing to work with these experts to ensure the ongoing safety and security of its systems.
What action has ChildFund NZ taken?
On learning of the incident from Pareto Phone, ChildFund NZ conducted a thorough check of its own systems and are not aware of any cyber incidents or data breaches having occurred on its systems. ChildFund NZ also notified the OPC of the incident on 6 September 2023.
Has the data accessed in the cyber incident been destroyed?
Pareto Phone have confirmed that they have taken steps to seek and remove all personal contact information relating to donors from the impacted server. However, Pareto Phone has retained data impacted by the incident on a separate offline quarantined server for forensic purposes and to enable Pareto Phone to meet its legal obligations in connection with the incident and to answer relevant enquires about the incident from individuals, charities and regulators. As soon as the incident has been fully closed out, all of that offline data will also be deleted.
Is my data safe for future ChildFund NZ telemarketing fundraising
ChildFund NZ no longer uses Pareto Phone for telemarketing fundraising initiatives. Our current telemarketing partner, Cornucopia, has strict data protection policies and procedures in place, including procedures to ensure that personal information:
- is stored on an internal server accessed via intranet (not internet);
- is subject to appropriate access restrictions;
- is anonymized and destroyed 3 months after the final call completion
What could happen as a result of my personal contact information being accessed?
While some of the information accessed will be out of date, there is a risk that the information could be used to contact you for fraudulent activity or scams. Please remain vigilant if you are contacted by anyone claiming to be from or working on behalf of ChildFund NZ.
If you are in any doubt about any fundraising communications you receive, please do not respond. Give our Donor Services team a call on 0800 808 822 to verify the fundraising activity is legitimate or you can contact IDCARE (using the details in the section titled “What can I do to protect myself” below).
What can I do to protect myself?
ChildFund NZ is not aware of any harm that has arisen for donors as a result of this cyber incident. However, you should always remain alert to any fraudulent or suspicious activity, particularly any scam activity.
You should always exercise good password practice, like using strong passwords, changing them frequently and having different passwords for different accounts. For more helpful information on protecting yourself from a privacy breach we recommend you read the helpful information included on the OPC website at www.privacy.org.nz.
In addition, Pareto Phone has made available the services of IDCARE, New Zealand’s national identity and cyber support service. They will work with you to address any concerns you have in relation to Pareto Phone’s data breach. Please complete an online Get Help form at www.idcare.org or call 0800 121 068 between 11am – 6pm Monday – Friday. Please quote referral code PAPHCH23 when engaging their services.
We encourage you to contact the ChildFund NZ team on 0800 808 822 if you have any questions or concerns. You may also complain to the Office of the Privacy Commissioner (OPC) in relation to this incident.