Two charities have said that banking details of their supporters were stolen and leaked on the dark web in a major cyber hack affecting more than 50,000 Australians.
The privacy watchdog is not yet investigating the hack involving over a dozen charities, despite multiple organisations alleging the company breached privacy laws by retaining historical data.
The ABC revealed last week that thousands of Australians had identifying details including home addresses and dates of birth published on the dark web four months after third-party fundraiser Pareto Phone was targeted by hackers.
At least 50,000 Australians have had personal information published on the dark web, but with just a fraction of charities publicly commenting, there are likely to be more.
More than 70 charities are involved in the hack on the tele-fundraiser, but not all have had data stolen.
The ABC can reveal credit card data was also stolen from some charities.
Australian charities caught up in a cyber attack
Some stolen data was up to 15 years old, with a handful of charities notifying the privacy watchdog of alleged breaches of Australian Privacy Principles around the destruction of old data.
Despite the breadth of the situation, the Office of the Australian Information Commissioner (OIAC) said it has not commenced an investigation into Pareto Phone but that it is “monitoring” the situation.
The ABC can also reveal the federal agency has never fined a company for a serious data breach.
Cyber experts say without enforcing penalties, companies will continue to fail on privacy, to the detriment of everyday Australians.
Some donors say the breach has affected their faith in supporting charities.