OAIC Accepts Enforceable Undertaking From Oxfam

Published at 13:49 on 27 Mar 2025

The Office of the Australian Information Commissioner (OAIC) recently accepted an enforceable undertaking from Oxfam, related to a data breach in 2021. The OAIC’s investigation revealed a host of poor privacy practices at the non-profit, and there are important lessons for others operating in this sector from this breach and the enforceable undertaking. 

Table of Contents

What Happened in Oxfam’s Data Breach?

On January 20, 2021, Oxfam Australia experienced a data breach where an unauthorized user accessed their User Acceptance Testing (UAT) database and accessed up to around 1.7 million records. This database contained personal information of Oxfam’s supporters, including names, addresses, dates of birth, donation history, and for a small number of individuals, financial details like account numbers and masked credit card information were also included. Oxfam had held much of the information for more than 7 years. 

Discovering the data breach

Oxfam became aware of the breach when they found records being advertised for sale on an online forum for stolen data (RaidForum).  14 sample records were published on the forum too, which Oxfam used to verify the breach. Following the discovery, Oxfam notified the Australian Information Commissioner (OAIC) and the affected individuals.

Poor privacy practices revealed

The OAIC launched an investigation into Oxfam’s data handling practices and raised concerns about a range of poor practices, including: 

  • Its use of live supporter data in the testing environment
  • The length of time it retained personal information 
  • Its use of shared credentials.

The OAIC also noted that in some cases over seven years for individuals who had not donated to or been contacted by Oxfam during that time and even for some who had made a Do Not Contact request of Oxfam. This highlights the relative lack of data disposal practices at Oxfam during this period. 

The enforceable undertaking

Oxfam has agreed to an enforceable undertaking. This includes commitments to improve its security and operational procedures, such as: 

  • Implementing individual credentials where possible and controls where this is not possible; 
  • Employing multifactor authentication: 
  • Providing privacy and security training to staff; and
  • Enforcing stronger password controls.

We recommend that all non-profits adopt these privacy practices at a minimum if you collect and store any personal information from your supporters and stakeholders. 

Oxfam also agreed to destroy or de-identify the personal information of individuals who haven’t engaged with them in over seven years, those with invalid engagement dates in their system, and those who requested no contact and haven’t engaged in seven years. 

Additionally, Oxfam will review their testing processes, engage an independent expert to assess their compliance with the Privacy Act, and participate in a public engagement program with the OAIC about the incident.

Further Privacy Improvements Oxfam Adopted After The Breach

In addition to the requirements outlined in the enforceable undertaking, Oxfam implemented further procedures to uplift its privacy practices, including:  

  • Assessing and evaluating the strength of its security systems and posture; 
  • Implementing IP whitelisting;
  • Improved identity and access management, including multi-factor authentication, single sign-on mechanisms, and biometric authentication in some cases; 
  • Dark web monitoring; 
  • Improved log retention periods; and 
  • Implementing detection and response software on its systems and relevant user machines.

Other Data Breaches in the Non-Profit Sector

The non-profit sector is attractive to cyber criminals and, with many being underfunded with overworked and undertrained teams, they can be somewhat of a soft target. 

We have seen a number of high profile cyber attacks involving the non-profit sector in Australia, including: 

  • The Pareto Phone ransomware attack, which targeted a charity telemarketing firm, stealing the personal information of around 50,000 individuals. More here.

Next Steps for Non-Profits

The OAIC published a detailed guidance for non-profit organisations in 2024. The insights remain relevant today, and we strongly recommend reading the guidance as a starting point. 

Next, consider the steps Oxfam took to improve its privacy and security posture. Has your non-profit got those same measures in place? If not, your next step is to review your practices and create a roadmap for improving your current practices. 

In this regard, there’s a list from the Australian Signals Directorate that’s helpful: 

  1. Turn on multi-factor authentication where possible.
  2. Check automatic updates are on and install updates as soon as possible.
  3. Back up important files and device configurations often. Test your backups on a regular basis.
  4. Use a reputable password manager to create strong, unique passwords or passphrases for your accounts.
  5. Provide cybersecurity training, particularly on how to recognise scams and phishing attempts.
  6. Use access controls and review them often so staff can only access what they need for their duties. This will reduce potential damage caused by malware or unauthorised access to systems.
  7. Use only reputable and secure cloud services and managed service providers.
  8. Test cybersecurity detection, incident response, business continuity and disaster recovery plans often.
  9. Review the cybersecurity posture of remote workers and connections. Make sure staff are aware of secure ways to work remotely such as not accessing sensitive information in public.
  10. Report a cybercrime, incident or vulnerability to protect yourself from further harm.
  11. Join ASD’s Cybersecurity Partnership Program as a business or network partner. This free program provides advice and insights on the cybersecurity landscape.

You can find a downloadable version of this checklist here

Finally, the OAIC really emphases in its guidance to non-profits that you cannot lose information you don’t hold. In other words, it’s crucial to focus on deleting or deidentifying data at adequate intervals. 

And, as we said in our earlier coverage of the OAIC’s guidance for non-profits: Boiling it down, when it comes to protecting personal information, there are 3 key things to keep in mind:

  • Only collect personal information you need.
  • Store that information securely.
  • Delete the information when no longer required.

Our team of privacy consultants regularly works with non-profits to bolster privacy and security practices. If your organisation needs help, feel free to reach out for an obligation-free consultation. 

Or join our free 2 x monthly newsletter to stay on top of trends and training in Australian privacy:

Privacy108 Newsletter Form

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Siska is a data privacy, IT and corporate and commercial counsel with an extensive background working at the intersection of business strategy, technology, law and data across a range of industries.  She is also an Assistant Professor at Bond University’s School of Law. Prior to joining Privacy 108, Siska was the Global Head of Data Privacy Advisory & Engagement at global med-tech company.