Anglicare Sydney has confirmed that it is being held to ransom over a large amount of potentially sensitive information that has been stolen from its computer system.
The not-for-profit organisation holds records on adoption and foster care as well as counselling and mental health services.
It revealed that 17 gigabytes of data was transmitted to a remote location on August 31 in what it called “a malicious cyber attack”.
An investigation is still trying to determine what information is contained in the files.
Anglicare Sydney is contracted by the NSW Department of Family and Community Services to provide foster care and adoption services as well as programs for vulnerable families and young people.
It also provides counselling and mental health services along with a range of disability and aged care services.
Anglicare Sydney said in statement: “The main system relating to Anglicare Sydney’s Out of Home Care program, which includes the foster care program, was not impacted.”
But it was unable to say what information is contained in the seized data.
It was concerned that reports about the cyber attack would “cause unnecessary harm and distress to some of the most vulnerable people in our care”, a spokesperson said.
NSW Police said they were aware of the attack and were conducting inquiries.
The government’s intelligence, cyber warfare and information security agency, the Australian Signals Directorate, also confirmed it was working with Anglicare Sydney to investigate the attack.
“Ransomware can cripple organisations that rely on computer systems to function by encrypting all connected electronic devices, folders and files and rendering systems inaccessible,” a spokesperson said.
“Cybercriminals will then demand a ransom in return for the decryption keys, often in the form of untraceable crypto currencies such as Bitcoin.”
Anglicare Sydney has refused to pay a ransom.
“(We) would not entertain engaging with cyber criminals,” a spokesperson said.
The General Secretary of the Public Service Union, Stewart Little, said the ransomware attack highlights the risks posed by the NSW Department of Family and Community Services (FACS) contracting out sensitive services to non-government organisations.
“You have to question when an organisation like Anglicare can have direct, as I understand it, portal access to data (in the FACS computer),” he said.
“The integrity and security of that data is paramount, we’re talking about children at risk here.”
He said the people receiving government services through Anglicare were entitled to have their personal information protected.
“People expect a higher standard when it comes to the security of data. You can’t ensure that when you are dealing with an outsourced provider like Anglicare, they are effectively a charitable organisation,” he said.
“I’m sure they do the best they can but they don’t have the same standard as, say, the Tax Office or a secure environment.
“So the government are going to have to explain to people who’ve interacted with these services what’s happened to their data.”
The Minister for Family and Community Services Gareth Ward has been contacted for comment.
Earlier this year, Anglicare Sydney was at the centre of a major outbreak of COVID-19 at one of its residential aged care homes, Newmarch House, during which 19 residents died.
A total of 71 cases were diagnosed before the outbreak was brought under control in June.