The Smith Family, one of Australia's longest-running children's charities, has announced a major cyber attack which may have exposed the details of some 80,000 donors.
The non-profit took to Twitter on 22 November reporting a cyber incident wherein "a team member's email account was temporarily accessed in an attempt to steal funds".
While the attempted financial theft was reportedly unsuccessful, a follow-up investigation revealed the personal information of "some individuals" may have been accessed during the attack.
Among the personal information which "might have been accessed" was a mixture of supporters' names, address, phone number, email address and donation amount.
The organisation says some cases of first and last credit or debit card digits, as well as information regarding "whether a donation payment was processed successfully or declined" might have been accessed as well.
"We can confirm for those with potential credit or debit card details accessed, no middle digits, or CVV numbers were accessed as The Smith Family does not store that information in its systems," said The Smith Family.
"The data accessed in itself cannot be used to make fraudulent purchases," it added.
Notably, the Smith Family initially suggested no credit or debit card expiry dates were accessed during the incident, but this statement was later edited.
A day after the cyber incident was announced, the charity's information page was quietly updated to remove any mention of expiry dates altogether.
The reason behind this change is yet confirmed.
This major incident marks the latest in a series of high-profile Australian data breaches, occurring only shortly after the now notorious Optus and Medibank attacks.
Similarly to Medibank's early statements during its own cyber incident, The Smith Family claims there is currently no evidence of personal information being misused or data having been published externally.
"While there is no current evidence of misuse of any individual’s personal information, we are informing individuals about the incident and providing simple steps to protect their information and avoid any potential scams," it said.
The Smith Family is yet to confirm how the unauthorised third party was able to break into the email account used during the attack, but appears to be continuing its investigations into the matter.
The organisation also said it was contacting every single donor and sponsor about the incident, regardless of whether their information had been accessed or not.
"We take data privacy very seriously and we understand the importance that you place on your personal information," said The Smith Family in a statement.
Twitter user and sponsor Christopher Allan replied: "Thank you for being quick to disclose. Why these [deleted] scammers stoop so low as to target you guys is beyond me."
Both the Australian Cyber Security Centre and Office of the Australian Information Commissioner have been notified of the incident.
More attacks against Australian businesses?
While The Smith Family has confirmed the incident is unrelated to the recent Optus and Medibank data breaches, many cyber security experts suggest attacks such as this are part of a larger cybercrime wave targeting Australian businesses.
According to the Australian Cyber Security Centre, the Australian Government lead agency for cyber security, 2022 has seen a 13 per cent increase in the number of cybercrime reports compared to 2021.
Since Optus' September breach which reportedly exposed 9.8 million customer records, cyber criminals have launched further attacks against massive organisations such as Medibank and online retailer MyDeal, through to smaller enterprises such as wine seller Vinomofo.
As this latest attack against The Smith Family continues Australia's rampant trend of major data breaches, the Australian Government is signalling long-waited legal reforms in the shape of increased fines, and Cyber Security Minister Clare O'Neil has voiced consideration for making ransom payments entirely illegal.
Following its attack, The Smith Family said it had engaged specialist cyber security experts and bolstered its systems.
It also stated it will take immediate action to communicate with stakeholders if any evidence of data misuse is identified, or if further issues arrive.
"We are committed to protecting the personal information of all our supporters and we apologise for any inconvenience or stress that notification of this incident may have caused," said The Smith Family.
