Data Breach

ChildFund NZ reveals third-party security breach

Parker Bytes September 28, 2023

In a bit of a pickle recently? Yes, ChildFund New Zealand has had a spot of bother involving a data breach by a contracted telemarketing company called Pareto Phone Limited. Back in 2014, ChildFund had asked Pareto to help out with fundraising activities.

The tricky issue is, it’s hazy when ChildFund might have ended its working relationship with Pareto. But here’s the twist- Pareto fell prey to a cyberattack in April this year, leading to the personal data of ChildFund NZ’s donors falling into the hands of some dodgy characters. Ominously, ChildFund NZ is merely one of the 70 charity victims in the Pareto data breach.

The statement given by ChildFund leaves a couple of puzzling questions. You see, Pareto Phone was harbouring records of donors who were linked to active and non-active fundraising campaigns. It now seems ChildFund’s old data was stored with Pareto even when it was past its use-by date. This begs the question, did ChildFund decide in its deal with Pareto, to delete any unnecessary data from previous donor drives?

From 2014 onwards, did the folks at ChildFund NZ ever cough up the question, whether Pareto was indeed clearing out data that didn’t need storing anymore? And if so, when was the last time ChildFund got down to checking this?

And here’s the big one: just how many people are being informed about this breach?

Now, ChildFund NZ assures its flock that they’ve stopped relying on Pareto Phone for their telemarketing fundraising. Instead, they have a new partner, Cornucopia. Their data protection rules are believed to be quite watertight, I hear- everything stored safely on an internal server, proper access restrictions in place, and any personal information is made anonymous and destroyed 3 months after the final call is completed.

But did they have the same precautions with their contract with Pareto? What sort of nitty-gritty details were in their agreement and when did it wrap up? Did the contract end on the note that Pareto had to either return or securely destroy all data?

While they’re caught up in the aftermath of Pareto’s breach, one does wonder- What steps did ChildFund NZ take since 2014 to see to it that their donor data was well-protected and properly disposed of by Pareto?

Eager for answers, I sent an email inquiry to the folks at ChildFund NZ to query some of these matters. Alas, no word back as of yet. But patience is a virtue, as they say. Here’s hoping there’ll be clarity on this whole affair soon.

by Parker Bytes