On late Friday, Amnesty International Australia sent an email to supporters informing them their data may be at risk due to “anomalous activity” detected in its IT environment.
While the email went out very late in the day/week, it also went out a very long time after the activity was found. The email, sighted by Gizmodo Australia, says the activity was detected late last year.
“As soon as we became aware of this activity on 3 December 2022, we engaged leading external cyber security and forensic IT advisors to determine if any unauthorised access to our IT environment had occurred,” Amnesty International Australia said.
“We acted quickly to ensure the AIA IT environment was secure and contained, put additional security measures in place and commenced an extensive investigation.”
While Amnesty International took quite a while to tell its supporters it had suffered a security breach, the organisation said its investigation is now complete and has resulted in the identification that an unauthorised third-party gained temporary access to its IT environment.
“In the course of this investigation, we identified that some low-risk information relating to individuals who made donations in 2019 was accessed, but of low risk of misuse,” the organisation wrote.
Although “low risk” information wasn’t defined, it’s easy to deduce from the security tips it provided that it is likely the data is name, email address, and phone number.
Despite being content that the data accessed in the breach won’t be misused, Amnesty International Australia urged its supporters to “carefully scrutinise all emails”, “don’t answer calls from unknown or private numbers”, and “never click on links in SMS messages or social media messages you are not expecting to receive”.
“We would like to take this opportunity to assure you there is no evidence that any of the low-risk information has been (or will be) misused as a result of the cyber event,” the email added.
“We do however, urge all our community to remain vigilant.”
Amnesty International Australia said the breach was limited to the local arm of the organisation and did not affect any other branches. It also said the scale of the “information accessed in the cyber event” doesn’t meet the criteria or threshold for notification under the Notifiable Data Breaches Scheme, but that Amnesty International Australia had chosen to inform its supporters “in the interest of transparency”.