Major charity hit by cyber criminals

Meli Community employs more than 750 staff from its Geelong base and is a Barwon region operator of kindergartens, foster care, family violence services, and school and youth help, as well as providing mental health, drug and alcohol, homelessness, financial assistance and NDIS services.

According to a recent financial statement, the organisation’s annual revenue to January 2024 was just over $49 million. Yet the cyberattack has forced it to resort to using paper-based and manual systems for some services.

The breach occurred in late July, just as the world was battling with the CrowdStrike IT meltdown. Late last month, the Qilin ransomware group began publishing Meli data on its dark web portal, posting multiple photographs of important financial documents and passport information.

Qilin claimed to have snatched 215 GB of data and 419,617 files from the charity.

In a statement on its website, Meli apologised to its clients and confirmed it was “currently investigating a cyber incident that has impacted our organisation”.

“As soon as we detected the incident, we took steps to secure our system. We also partnered with leading forensic specialists and cybersecurity advisors to investigate what has happened. Our investigation is ongoing.”

Meli said it was “urgently investigating the nature and extent of the published dataset”, after becoming aware of claims that the information had been published “by an unauthorised third party”.

The company has informed several authorities about the breach, including the Australian Cyber Security Centre (ACSC), Victoria Police, the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner, and state and federal government agencies.

“We will continue to cooperate with law enforcement and the relevant government agencies as required,” the company said in a statement.

Meli issued a string of recommendations about how clients and users of its services should protect their personal data, and also referred users to the Australian Cyber Security Centre website and the ACCC’s Scamwatch website.

The Community Advocate contacted Meli with several questions about the cyberattack, including whether the organisation had been asked for a ransom payment, what actions it had taken to prevent the release of any data on the dark web, more detail about the information taken and whether staff, volunteers and clients had been affected.

Through a public relations company, the organisation put out a statement which repeated most of the web statement but added: “Our important work supporting clients and the community remains our utmost priority. We thank our funders for their ongoing support and together we will continue our important role of supporting people and strengthening communities.”

Meli Community resulted from a merger of the former Barwon Child, Youth & Family (BCYF) and the Bethany Group about a year ago. Its name refers to meliorism, or the idea that the world can be improved through human effort.

The organisation has offices and kindergartens in Greater Geelong, on the Bellarine Peninsula, on the Surf Coast, and in Winchelsea, Colac, Bannockburn, Warrnambool and Horsham.

Bethany was first set up in 1868 as a women’s refuge, while BCYF began as Geelong’s first orphanage.

Qilin, sometimes known as Agenda, employs Russian-based code, and is a growing international threat, having previously targeted hospitals in London, the publishers of the Big Issue in the UK, and IT provider Dialog as well as the Victorian court system in Australia.

Latest attack serves as a warning

Infoxchange CEO David Spriggs said the incident served as just the latest warning to all not-for-profits to brace for such attacks.

“Cyber attacks are continuing to become more prevalent in the community sector, causing significant disruption and damage to the reputation and daily work of not-for-profits,” Mr Spriggs said.

He said Infoxchange's most recent Digital Technology in the Not-for-profit Sector Report had found many not-for-profits were missing basic cyber security protections, with only 20% providing cyber security awareness training for staff or having a plan to improve their cyber security “posture”.

“We advise organisations to ensure they are conducting regular cyber security audits, are implementing strong cyber security practices and educating both staff and volunteers on cyber risks and the critical steps to protect information.

“It is important to prepare for 'when' not 'if' scenarios."

And he repeated a call for the federal government to help the sector.

“We call again on the Australian government to appropriately fund capacity building for the charities and not-for-profit sector to help the sector better prevent these attacks and respond to increasing cyber security threats.”

He said organisations could visit Infoxchange's free Cyber Safe Hub for training for staff and volunteers, and use the guides to cyber security on its Digital Transformation Hub.