ACRF Response to Phishing Attack
We regret to share that ACRF has experienced a cyber incident that may have affected the security of some stakeholder’s personal information held by us.
We take this matter very seriously and are publishing this notice to share what has happened, what we are doing about it, and what steps you can take to protect yourself. We encourage you to read this information carefully to understand what it may mean for you and how ACRF is supporting you.
We sincerely apologise for any upset this notice may cause you or your loved ones.
1. What happened?
ACRF received a fraudulent email from one of our vendors that had itself also been the victim of unauthorised activity. This allowed an unauthorised third party to gain temporary access to our network, including access to the email inboxes of a few of our employees. This issue has since been rectified.
Our investigation has been unable to confirm the extent of the data in the compromised mailboxes that was actually accessed by the unauthorised third party. However, given the possibility that personal information in those mailboxes may have been accessed in an unauthorised manner, we wish to inform our stakeholders of this potential risk.
2. What types of personal information were impacted?
The types of personal information that may have been impacted (if any) depend on your relationship with ACRF.
We say may have been impacted because we aren’t able to conclude with certainty which data in these inboxes was actually accessed by the unauthorised third party. Nevertheless, it is important to take precautionary measures to protect yourself. We have outlined these steps in the response to Question 4.
Our Donors:
- contact details;
- Donor ID;
- history of payments and/or donations made to us including payment method or payment identification number (eg BPay ID), credit card or bank account details provided to ACRF in writing before 2023 either by filling out a form or sending us an email; and
- information you have shared with us when communicating with members of our team (for example personal experiences or stories, and/or health information, either about you or your loved ones, that you have shared with us).
Our Members / Trustees:
- contact details;
- Donor ID;
- donation/payment history;
- payment details provided to ACRF either by filling out a form or sending us an email; and
- information you have shared with us when communicating with members of our team (for example personal experiences or stories, and/or health information, either about you or your loved ones, that you have shared with us).
Our Staff (past and present):
- contact details;
- information you provided to us in the course of your employee onboarding (including government identifiers such as your driver’s license, passport, Medicare details and background check information);
- employee-specific information (including payroll details, TFN details and PAYG slips); and
- information in your employee file (including your contract Centrelink details, expense reimbursements, details in relation to absences, illness and performance, and other employment records).
Individuals involved in court proceedings where ACRF was a beneficiary:
We also identified a further cohort of individuals, who were a party to, or participated in, a court matter related to the estate of a donor to ACRF. As ACRF
was listed as a beneficiary in this matter, we received copies of affidavits and court documents related to the proceedings and may have corresponded about
our involvement in the proceedings. These materials include:
- contact details
- your entitlements as a beneficiary under a will;
- information about the proceedings;
- personal descriptions and recounts, or opinions in respect of the deceased, their beneficiaries and other family members expressed by you; and/or
- personal descriptions and recounts of others in which you are mentioned, or opinions about you stated by other parties to the proceeding.
3. How will notification work?
If you have been identified as being at sufficient risk as a result of the incident and we have your (recent) contact information, ACRF will notify you directly.
If you have received a notification directly from us, please refer to that notification which contains information specific to you as to what personal information
may have been impacted.
We have been unable to directly notify some individuals as we do not have their recent contact details. If you have not received a notice, but are concerned
you may be impacted, please let us know.
Please always check the sender of any communications purporting to be from ACRF. We will never demand money from you. If you receive any
communications or other activity purporting to be from ACRF which causes you concern, please let us know immediately by contacting us at info@acrf.com.au
or 1300 884 988.
4. What can I do to protect myself?
Immediate steps to take
We encourage you to always remain vigilant to scams by taking the following steps:
- We recommend you remain vigilant against incidents of identity theft, for example by reviewing your bank and credit card account statements regularly for any suspicious activity. If you notice activity that is unusual or suspicious, please contact your bank or credit card issuer immediately. To verify any payments made to us please contact us at info@acrf.com.au or call us at 1300 884 988.
- We recommend you familiarise yourself with guidance on protecting yourself from scams. Remember that scammers may use information they already know about you in order to appear trustworthy. For example, a scammer could use information about your donation history to request donations from you. ACRF will typically engage with you through our regular newsletters, phone calls and appeals. We have not updated our bank account details.
- The Australian Scamwatch initiative offers guidance here. IDCARE also provides support and advice on identity and cyber matters and you can request individual support here. See also recent OAIC guidance here.
- We recommend you remain vigilant to any emails, calls or texts from unknown or suspicious senders (including any that appear to be from any of our team members).
- Please escalate any concerns or suspicious activities relating to your engagement with us, immediately by contacting us at info@acrf.com.au or 1300 884 988.
Additional precautionary measures
We also encourage you to consider the following additional precautionary measures:
- Monitoring for suspicious activity on any of your online accounts.
- As a general good practice, please remember never to share sensitive personal details like passwords over email or phone calls even if they appear legitimate.
- Avoid clicking on any links or opening any emails that appear to come from us or are from any unknown senders.
- Carefully scrutinise any donation requests or financial documents that you receive from us and contact us directly using the details on our website to verify the communication.
- Use unique passwords and change your existing passwords to strong passwords that you have not used for other accounts and enable multi-factor authentication for all accounts.
- If you have provided us with any health information, inform your health insurance provider of this incident and remain alert to any calls or emails claiming to be from your health insurance provider.
- If you have provided us with your bank account or credit card details, change your banking or credit card PIN number and request that your bank monitor your accounts for any suspicious activity, such as unauthorised transactions or log-in attempts. Stay on the lookout for any scam messages that may quote your BPay number or other payment details to you. Contact your bank directly if concerned.
- Request your credit report from Equifax, Illion or Experian and check it for any unauthorised loans or applications.
- If you have concerns about any government-issued identify documents that you may have provided to ACRF, you can contact the agency that issued that document for advice, or IDMatch which provides free state and territory specific guidance via call or email to help you protect your government identity, accounts and devices.
- If you ever feel that your physical safety is at risk, you should contact the police. If you feel that your mental health and safety is at risk, you should contact your doctor or a support service or your family or friends.
Please note that if you receive a notification from ACRF, your notification will include additional information about what to do in relation to the specific types
of personal information that may have been impacted.
5. Is my data on the dark or deep web?
Our investigations to date do not indicate that any information has been published on the dark or deep web as a result of this incident.
6. What has ACRF done to respond to the incident?
Following detection of unusual activities, we engaged cyber incident response experts to help us respond to this incident. We also reported the incident to
the Office of the Australian Information Commissioner (OAIC), the New South Wales Police and the Australian Cyber Security Centre (ACSC).
ACRF has also:
- via our external experts, commenced dark and deep web monitoring (including on forums, marketplaces and for other general activity for
compromised credentials) for any data belonging to ACRF. To date, there is no evidence of any of ACRF’s information being published on the dark web as a result of this incident; and - enhanced the security of our systems.
7. Why is ACRF notifying individuals now?
We needed to investigate the issue and understand what happened and who it impacted. That takes time. It was also important for us to be as clear as possible with our donors, members, staff and other stakeholders about how they may have been impacted so that they could take meaningful action to protect themselves.
We apologise for any upset this may cause you or your loved ones.
If you have any questions or would like to speak to an ACRF representative about this matter, please get in touch with us via email at info@acrf.com.au or
call us directly at 1300 884 988.
For media enquiries contact info@acrf.com.au