Security Update
Important information about a cyber incident at Meli
As at Tuesday 8 October 2024
To our valued clients,
We are currently investigating a cyber incident that has impacted our organisation. We thank our Meli community for their patience as we investigate this incident.
What has happened?
Once we detected the incident, we took steps to secure our system and investigated what has happened. Our response to the Incident is extensive, ongoing and continues to be guided by forensic specialists and cybersecurity advisors with the support of relevant Victorian and Commonwealth government agencies.
Our investigation has unfortunately identified evidence that a subset of data has been taken from our system. We are aware of a claim that this information has now been published externally by an unauthorised third party. We are urgently investigating the nature and extent of the published dataset.
Cyber incidents are complex and it is important that we take the time to examine in detail the nature and extent of the published dataset so that we can communicate with accuracy.
In addition to progressing our investigations, Meli has been granted a court-ordered injunction to prevent any access, dissemination or publication of the impacted data by any third party. We have asked that interested parties do not attempt to access any impacted data, as this is a criminal offence in contravention of the court order.
Obtaining the injunction is part of our ongoing commitment to our valued partners and Meli community. This includes taking all reasonable steps in response to this incident to protect the impacted data and those most vulnerable.
We have informed the Australian Cyber Security Centre, Victorian Police, the Office of the Australian Information Commissioner, Office of the Victorian Information Commissioner and relevant departments in the Victorian and Commonwealth Governments about the incident. We will continue to cooperate and work with law enforcement and the relevant government agencies as required, which includes to monitor for suspicious activity and implement additional security measures where appropriate.
Meeting the needs of our clients continues to be our utmost priority. While many of our systems have been restored and services to our clients returned to normal, some aspects of our work continue with manual or paper-based processes in the short-term. We are endeavouring to return all our services to clients to normal as quickly as possible. We thank you for your continued patience and understanding.
We appreciate that you would like to know more but this incident is complex and requires specialist review and investigation. Please know that we are working as hard as we can to resolve this incident.
Our investigation is ongoing, and we are committed to keeping you informed as soon as we have relevant information to share.
Looking after your personal cyber security
While our investigation continues, we recommend you take the following precautionary steps to protect your personal information:
- Please remain vigilant and monitor for any suspicious activity, including any communications from an unverified person by phone or email requesting information or payments. This includes phone calls from common names or any communications disguised to look like they come from someone you know or trust.
- Verify communications by confirming the identity of the sender. This includes checking email names and domains by hovering your mouse over the sender’s email address.
- Do not open links that look suspicious. If you are unsure about a link sent to you by a company, you should go to the company’s website and look for the product or service that was offered.
- Be alert to phishing scams. This could include scams that target you through post, phone or email. Phishing scams are attempts by scammers to trick people into providing their personal information, including passwords, credit card numbers and/or sensitive personal information, often by creating a sense of urgency.
Further information about online safety, cyber security and other helpful tips can be found at the Australian Cyber Security Centre website or the ACCC’s Scamwatch website.
Next steps
We will always ensure any updates about our investigation into the cyber incident are communicated to you.
We sincerely apologise for any concern this incident may have caused. All of us at Meli thank you for your ongoing support in enabling us to continue serving our local community.
Important questions right now
Our investigation has unfortunately identified evidence that a subset of data has been taken from this system.
We are aware of a claim that his information has now been published externally by an unauthorised third party. We are urgently investigating the nature and extent of the published dataset.
We understand that you would like to know more but this incident is complex and requires specialist review and investigation. It’s important that we take the time to investigate the nature and extent of the published dataset so that we can communicate with accuracy.
We are committed to communicating transparently and with integrity, and we will update you as soon as we have relevant information to share.
While our investigation continues, we recommend you take the following precautionary steps to protect your personal information:
- Please remain vigilant and monitor for any suspicious activity, including any communications from an unverified person by phone or email requesting information or payments. This includes phone calls from common names or any communications disguised to look like they come from someone you know or trust.
- Verify communications by confirming the identity of the sender. This includes checking email names and domains by hovering your mouse over the sender’s email address.
- Do not open links that look suspicious. If you are unsure about a link sent to you by a company, you should go to the company’s website and look for the product or service that was offered.
- Be alert to phishing scams. This could include scams that target you through post, phone or email. Phishing scams are attempts by scammers to trick people into providing their personal information, including passwords, credit card numbers and/or sensitive personal information, often by creating a sense of urgency.
Further information about online safety, cyber security and other helpful tips can be found at the Australian Cyber Security Centre website or the ACCC’s Scamwatch website.
As soon as we detected the incident, we took steps to secure our system. We also partnered with leading forensic specialists and cybersecurity advisors to investigate what has happened.
We have also informed the Australian Cyber Security Centre (ACSC), Victoria Police, Office of the Australian Information Commissioner, Office of the Victorian Commissioner and relevant government agencies about the incident. We will take all reasonable steps to work with law enforcement and the relevant government agencies as required.
In addition to progressing our investigations, Meli has been granted a court-ordered injunction to prevent any access, dissemination or publication of the impacted data by any third party. We have asked that interested parties do not attempt to access any impacted data, as this is a criminal offence in contravention of the court order.
Obtaining the injunction is part of our ongoing commitment to our valued partners and Meli community. This includes taking all reasonable steps in response to this incident to protect the impacted data and those most vulnerable.
Our investigation is ongoing and we will update our stakeholders with any information relevant to them.
If you require further information or need assistance, please feel free to contact Meli on cyber@meli.org.au or call our Cyber Incident Enquiry Line on 03 5292 8731 from 9am-5pm weekdays.