Rural charity data flaw

Rural Aid charity fixes website privacy flaws

A spokesman for Rural Aid said the charity took the data privacy of all stakeholders seriously.

A spokesman for Rural Aid said the charity took the data privacy of all stakeholders seriously.


The details of more than 100 charity-seeking producers were accessible online.


More than 100 drought-stricken producers registered for charity through Rural Aid had their personal details inadvertently released online.

Details for some producers were visible on Google six months after the charity was first alerted to a privacy flaw with its website.

The personal information included names, phone numbers and addresses of producers who had registered with the charity's Farm Rescue and Buy a Bale initiatives.

On February 21, Rural Aid wrote a post on its website alerting the public to a "potential data incident".

"On the evening of Wednesday 20th February 2019, Rural Aid was made aware that our website may have some vulnerabilities, which could result in some farmers' information, such as names and telephone numbers, being exposed," the post read.

The day before Rural Aid announced the "potential data incident", Kara Taylor sent an email to affected farmers.

Ms Taylor was not affected by the data issues but noticed flaws in Rural Aid's website last year.

She wrote to farmers after the Office of the Australian Information Commissioner declined to investigate her complaint because she was not affected.

Ms Taylor's email said Rural Aid had been told about a privacy flaw with its website as far back as October 2018.

"As at today, I'm not aware of the charity supplying any details of the privacy breach to those farmers affected," the email read.

"As you were likely never made aware of the privacy breach, I thought you should at least be given the right to know, and an opportunity to make a complaint if you wish."

A Rural Aid spokesman said one producer had contacted them in late 2018 after noticing their private information was visible through the website via a Google search.

The spokesman said the charity was unaware at that time that the details of other producers were also affected by the same privacy flaw.

"We took decisive action and stopped access to the function immediately," the spokesman said.

"Following the initial contact from that one farmer, we can confirm that no other farmers contacted our organisation in relation to that issue.

"Based on the lack of contact or concern we were, therefore, unaware that any other farmers details could be accessed at that time."

It was only after Ms Taylor's email was sent to producers in February that Rural Aid realised it was a broader issue, the spokesman said.

"In February 2019 we were made aware that the contact details of six farmers, from our database of 8,000, could be accessed through old data cached by Google.

"Importantly, it is only possible to access this information if someone physically searches for this information."

Rural Aid asked Google to remove the information within 24 hours and asked a cybersecurity expert to investigate the issue, the spokesman said.

He said there was no evidence that any information had been accessed, downloaded or stolen.

Queensland Country Life has seen a list gleaned from the Rural Aid website last year that shows more than 100 producers were affected before the flaw was fixed.

Despite then engaging cybersecurity specialists in February, details such as the names, phone numbers and addresses of at least six producers were still visible through Google on May 8, more than six months after Rural Aid was first approached in October.

These personal details have since been removed from Google.

A spokesman for Rural Aid said the charity took the data privacy of all stakeholders seriously.

The charity has since implemented the recommendations of its cybersecurity review, the spokesman said.


From the front page

Sponsored by