Contact

OAIC Accepts Enforceable Undertaking From Oxfam

Published
27 Mar 2025
Read time
5 min read
Category
Opinion

The Office of the Australian Information Commissioner (OAIC) recently accepted an enforceable undertaking from Oxfam, related to a data breach in 2021. The OAIC’s investigation revealed a host of poor privacy practices at the non-profit, and there are important lessons for others operating in this sector from this breach and the enforceable undertaking. 

What Happened in Oxfam’s Data Breach?

On January 20, 2021, Oxfam Australia experienced a data breach where an unauthorized user accessed their User Acceptance Testing (UAT) database and accessed up to around 1.7 million records. This database contained personal information of Oxfam’s supporters, including names, addresses, dates of birth, donation history, and for a small number of individuals, financial details like account numbers and masked credit card information were also included. Oxfam had held much of the information for more than 7 years. 

Discovering the data breach

Oxfam became aware of the breach when they found records being advertised for sale on an online forum for stolen data (RaidForum).  14 sample records were published on the forum too, which Oxfam used to verify the breach. Following the discovery, Oxfam notified the Australian Information Commissioner (OAIC) and the affected individuals.

Poor privacy practices revealed

The OAIC launched an investigation into Oxfam’s data handling practices and raised concerns about a range of poor practices, including: 

  • Its use of live supporter data in the testing environment
  • The length of time it retained personal information 
  • Its use of shared credentials.

The OAIC also noted that in some cases over seven years for individuals who had not donated to or been contacted by Oxfam during that time and even for some who had made a Do Not Contact request of Oxfam. This highlights the relative lack of data disposal practices at Oxfam during this period. 

The enforceable undertaking

Oxfam has agreed to an enforceable undertaking. This includes commitments to improve its security and operational procedures, such as: 

  • Implementing individual credentials where possible and controls where this is not possible; 
  • Employing multifactor authentication: 
  • Providing privacy and security training to staff; and
  • Enforcing stronger password controls.

We recommend that all non-profits adopt these privacy practices at a minimum if you collect and store any personal information from your supporters and stakeholders. 

Oxfam also agreed to destroy or de-identify the personal information of individuals who haven’t engaged with them in over seven years, those with invalid engagement dates in their system, and those who requested no contact and haven’t engaged in seven years. 

Additionally, Oxfam will review their testing processes, engage an independent expert to assess their compliance with the Privacy Act, and participate in a public engagement program with the OAIC about the incident.

Further Privacy Improvements Oxfam Adopted After The Breach

In addition to the requirements outlined in the enforceable undertaking, Oxfam implemented further procedures to uplift its privacy practices, including:  

  • Assessing and evaluating the strength of its security systems and posture; 
  • Implementing IP whitelisting;
  • Improved identity and access management, including multi-factor authentication, single sign-on mechanisms, and biometric authentication in some cases; 
  • Dark web monitoring; 
  • Improved log retention periods; and 
  • Implementing detection and response software on its systems and relevant user machines.

Other Data Breaches in the Non-Profit Sector

The non-profit sector is attractive to cyber criminals and, with many being underfunded with overworked and undertrained teams, they can be somewhat of a soft target. 

We have seen a number of high profile cyber attacks involving the non-profit sector in Australia, including: 

  • The Pareto Phone ransomware attack, which targeted a charity telemarketing firm, stealing the personal information of around 50,000 individuals. More here.

Next Steps for Non-Profits

The OAIC published a detailed guidance for non-profit organisations in 2024. The insights remain relevant today, and we strongly recommend reading the guidance as a starting point. 

Next, consider the steps Oxfam took to improve its privacy and security posture. Has your non-profit got those same measures in place? If not, your next step is to review your practices and create a roadmap for improving your current practices. 

In this regard, there’s a list from the Australian Signals Directorate that’s helpful: 

  1. Turn on multi-factor authentication where possible.
  2. Check automatic updates are on and install updates as soon as possible.
  3. Back up important files and device configurations often. Test your backups on a regular basis.
  4. Use a reputable password manager to create strong, unique passwords or passphrases for your accounts.
  5. Provide cybersecurity training, particularly on how to recognise scams and phishing attempts.
  6. Use access controls and review them often so staff can only access what they need for their duties. This will reduce potential damage caused by malware or unauthorised access to systems.
  7. Use only reputable and secure cloud services and managed service providers.
  8. Test cybersecurity detection, incident response, business continuity and disaster recovery plans often.
  9. Review the cybersecurity posture of remote workers and connections. Make sure staff are aware of secure ways to work remotely such as not accessing sensitive information in public.
  10. Report a cybercrime, incident or vulnerability to protect yourself from further harm.
  11. Join ASD’s Cybersecurity Partnership Program as a business or network partner. This free program provides advice and insights on the cybersecurity landscape.

You can find a downloadable version of this checklist here

Finally, the OAIC really emphases in its guidance to non-profits that you cannot lose information you don’t hold. In other words, it’s crucial to focus on deleting or deidentifying data at adequate intervals. 

And, as we said in our earlier coverage of the OAIC’s guidance for non-profits: Boiling it down, when it comes to protecting personal information, there are 3 key things to keep in mind:

  • Only collect personal information you need.
  • Store that information securely.
  • Delete the information when no longer required.

Our team of privacy consultants regularly works with non-profits to bolster privacy and security practices. If your organisation needs help, feel free to reach out for an obligation-free consultation. 

Or join our free 2 x monthly newsletter to stay on top of trends and training in Australian privacy:

var gform;gform||(document.addEventListener("gform_main_scripts_loaded",function(){gform.scriptsLoaded=!0}),document.addEventListener("gform/theme/scripts_loaded",function(){gform.themeScriptsLoaded=!0}),window.addEventListener("DOMContentLoaded",function(){gform.domLoaded=!0}),gform={domLoaded:!1,scriptsLoaded:!1,themeScriptsLoaded:!1,isFormEditor:()=>"function"==typeof InitializeEditor,callIfLoaded:function(o){return!(!gform.domLoaded||!gform.scriptsLoaded||!gform.themeScriptsLoaded&&!gform.isFormEditor()||(gform.isFormEditor()&&console.warn("The use of gform.initializeOnLoaded() is deprecated in the form editor context and will be removed in Gravity Forms 3.1."),o(),0))},initializeOnLoaded:function(o){gform.callIfLoaded(o)||(document.addEventListener("gform_main_scripts_loaded",()=>{gform.scriptsLoaded=!0,gform.callIfLoaded(o)}),document.addEventListener("gform/theme/scripts_loaded",()=>{gform.themeScriptsLoaded=!0,gform.callIfLoaded(o)}),window.addEventListener("DOMContentLoaded",()=>{gform.domLoaded=!0,gform.callIfLoaded(o)}))},hooks:{action:{},filter:{}},addAction:function(o,r,e,t){gform.addHook("action",o,r,e,t)},addFilter:function(o,r,e,t){gform.addHook("filter",o,r,e,t)},doAction:function(o){gform.doHook("action",o,arguments)},applyFilters:function(o){return gform.doHook("filter",o,arguments)},removeAction:function(o,r){gform.removeHook("action",o,r)},removeFilter:function(o,r,e){gform.removeHook("filter",o,r,e)},addHook:function(o,r,e,t,n){null==gform.hooks[o][r]&&(gform.hooks[o][r]=[]);var d=gform.hooks[o][r];null==n&&(n=r+"_"+d.length),gform.hooks[o][r].push({tag:n,callable:e,priority:t=null==t?10:t})},doHook:function(r,o,e){var t;if(e=Array.prototype.slice.call(e,1),null!=gform.hooks[r][o]&&((o=gform.hooks[r][o]).sort(function(o,r){return o.priority-r.priority}),o.forEach(function(o){"function"!=typeof(t=o.callable)&&(t=window[t]),"action"==r?t.apply(null,e):e[0]=t.apply(null,e)})),"filter"==r)return e[0]},removeHook:function(o,r,t,n){var e;null!=gform.hooks[o][r]&&(e=(e=gform.hooks[o][r]).filter(function(o,r,e){return!!(null!=n&&n!=o.tag||null!=t&&t!=o.priority)}),gform.hooks[o][r]=e)}}); gform.initializeOnLoaded( function() {gformInitSpinner( 2, 'https://privacy108.com.au/wp-content/plugins/gravityforms/images/spinner.svg', false );jQuery('#gform_ajax_frame_2').on('load',function(){var contents = jQuery(this).contents().find('*').html();var is_postback = contents.indexOf('GF_AJAX_POSTBACK') >= 0;if(!is_postback){return;}var form_content = jQuery(this).contents().find('#gform_wrapper_2');var is_confirmation = jQuery(this).contents().find('#gform_confirmation_wrapper_2').length > 0;var is_redirect = contents.indexOf('gformRedirect(){') >= 0;var is_form = form_content.length > 0 && ! is_redirect && ! is_confirmation;var mt = parseInt(jQuery('html').css('margin-top'), 10) + parseInt(jQuery('body').css('margin-top'), 10) + 100;if(is_form){form_content.find('form').css('opacity', 0);jQuery('#gform_wrapper_2').html(form_content.html());if(form_content.hasClass('gform_validation_error')){jQuery('#gform_wrapper_2').addClass('gform_validation_error');} else {jQuery('#gform_wrapper_2').removeClass('gform_validation_error');}setTimeout( function() { /* delay the scroll by 50 milliseconds to fix a bug in chrome */ }, 50 );if(window['gformInitDatepicker']) {gformInitDatepicker();}if(window['gformInitPriceFields']) {gformInitPriceFields();}var current_page = jQuery('#gform_source_page_number_2').val();gformInitSpinner( 2, 'https://privacy108.com.au/wp-content/plugins/gravityforms/images/spinner.svg', false );jQuery(document).trigger('gform_page_loaded', [2, current_page]);window['gf_submitting_2'] = false;}else if(!is_redirect){var confirmation_content = jQuery(this).contents().find('.GF_AJAX_POSTBACK').html();if(!confirmation_content){confirmation_content = contents;}jQuery('#gform_wrapper_2').replaceWith(confirmation_content);jQuery(document).trigger('gform_confirmation_loaded', [2]);window['gf_submitting_2'] = false;wp.a11y.speak(jQuery('#gform_confirmation_message_2').text());}else{jQuery('#gform_2').append(contents);if(window['gformRedirect']) {gformRedirect();}}jQuery(document).trigger("gform_pre_post_render", [{ formId: "2", currentPage: "current_page", abort: function() { this.preventDefault(); } }]); if (event && event.defaultPrevented) { return; } const gformWrapperDiv = document.getElementById( "gform_wrapper_2" ); if ( gformWrapperDiv ) { const visibilitySpan = document.createElement( "span" ); visibilitySpan.id = "gform_visibility_test_2"; gformWrapperDiv.insertAdjacentElement( "afterend", visibilitySpan ); } const visibilityTestDiv = document.getElementById( "gform_visibility_test_2" ); let postRenderFired = false; function triggerPostRender() { if ( postRenderFired ) { return; } postRenderFired = true; gform.core.triggerPostRenderEvents( 2, current_page ); if ( visibilityTestDiv ) { visibilityTestDiv.parentNode.removeChild( visibilityTestDiv ); } } function debounce( func, wait, immediate ) { var timeout; return function() { var context = this, args = arguments; var later = function() { timeout = null; if ( !immediate ) func.apply( context, args ); }; var callNow = immediate && !timeout; clearTimeout( timeout ); timeout = setTimeout( later, wait ); if ( callNow ) func.apply( context, args ); }; } const debouncedTriggerPostRender = debounce( function() { triggerPostRender(); }, 200 ); if ( visibilityTestDiv && visibilityTestDiv.offsetParent === null ) { const observer = new MutationObserver( ( mutations ) => { mutations.forEach( ( mutation ) => { if ( mutation.type === 'attributes' && visibilityTestDiv.offsetParent !== null ) { debouncedTriggerPostRender(); observer.disconnect(); } }); }); observer.observe( document.body, { attributes: true, childList: false, subtree: true, attributeFilter: [ 'style', 'class' ], }); } else { triggerPostRender(); } } );} );
Ready to turn insight into action?
Connect with Privacy 108.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Privacy 108 collects your name and contact details to respond to your enquiry and communicate with you about it. If you do not provide this information, we may be unable to respond. We do not disclose this information to third parties. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au.
Siska Lund
Privacy, security and training
Siska is a globally experienced privacy and commercial counsel specialising in data, technology, and strategic legal advisory across complex industries.
Siska Lund
Privacy, security and training
Siska is a globally experienced privacy and commercial counsel specialising in data, technology, and strategic legal advisory across complex industries.
Talk to us?
Looking to take your business to the next level? Speak with our experts today!
Contact us
Related articles
  • 1300 41 20 50
  • Level 3, 240 Queen St, Brisbane QLD 4000
  • Ground Floor Reception, 3 Spring St, Sydney NSW 2000
  • PO Box 3295, Yeronga QLD 4104
  • Follow us on LinkedIn
Services
Privacy Risk Management Privacy Impact Assessments AI Governance Privacy Legal Services Research and Policy
Company
About Privacy 108 Our Team Careers Insights Contact Us Privacy Policy Terms & Conditions
Subscribe to our newsletter
Subscribe
Privacy 108 Consulting Pty Ltd ABN 52 600 425 885 is an incorporated legal practice registered with the Queensland Law Society. Liability limited by a scheme approved under Professional Standards Legislation.
We respectfully acknowledge the Traditional Owners of the land we work on and pay our respects to their Elders past, present and future in maintaining the culture, country and their spiritual connection to the land.
© 2026 by Privacy 108 Consulting Pty Ltd. ABN 52 600 425 885
Website by DeeperLook
Subscribe to our Newsletter

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.