What matters when a cyber incident becomes real.
Jun 02, 2026
In September last year, we experienced a cyber incident involving a data breach and ransom demand.
At the time, our CEO was overseas on extended leave. Our Executive Manager Service Delivery was acting in the role, and our Executive Manager Corporate Services was leading the ICT response. Like many organisations, we were managing competing priorities and working with the resources we had on the ground.
It is something you prepare for, but when it happens, let me tell you, it feels totally surreal. A ransom note was discovered on one of our servers. Not a simulation or a test, but a real situation that needed a response straight away.
Very quickly, the weight of it set in.
In those early stages, the hardest part was not the demand itself. It was the uncertainty. We did not yet know what had been accessed, how much information was involved, or whether client data had been affected. As an organisation supporting vulnerable people in the community, that uncertainty carries a real sense of responsibility. You are thinking about the people behind the information and what any potential impact could mean for them.
At the same time, services continue. Staff are still out supporting people. Calls are still coming in. Aged care reform deadlines loomed. Care does not pause while you work through a situation like this. Holding those two realities at once was one of the most challenging aspects.
We had done the right things leading in. We had a response plan, external IT support, and a range of cyber security measures in place. What became clear very quickly is that having a plan matters, but being able to use it under pressure matters more. It gave us structure and a place to start, which was critical when there were so many unknowns.
One of the most important parts of our experience was the incredible support we received through our insurer. This brought in a team with deep experience in managing incidents like this which again, was so surreal, but thank goodness someone has the experience! Their guidance helped us slow down, carefully confirm information, and make considered decisions rather than reacting too quickly. It also introduced us to a new language with terms such as ‘threat actors’; the name given to the people holding us to ransom.
At times, their advice went against instinct. There is a natural urge to communicate widely as soon as possible. Instead, we were guided to wait until we had clear and verified information. That approach helped us avoid confusion and provide more meaningful communication when the time was right… no matter how hard it felt to stay quiet.
There were difficult decisions along the way. When to communicate and who to tell. Whether to consider the ransom. How to balance urgency with accuracy. These decisions were made with incomplete information and under time pressure. Having shared responsibility across the executive team, along with trusted external advice, made a significant difference.
This was not carried by one or two people. Our broader executive and the board worked closely together, sharing responsibility, stepping in where needed and supporting each other through a situation that was uncertain and, at times, confronting.
Looking back, a few things stand out. Preparation is essential, but it needs to be practical. Expert advice is critical and can change the course of how a situation is managed. Communication requires care and timing, not just speed. And culture plays a central role in how an organisation responds under pressure.
Fast forward to now and we have strengthened our systems and accelerated improvements that were already underway. We have also refined our response approach based on what we experienced in practice.
More broadly, it has shifted how we think about cyber risk. It is not just an IT issue. It is part of providing safe, reliable services and maintaining trust.
We are sharing this because we know that unfortunately it is likely that others in our sector will face something similar. If our experience helps another organisation feel more prepared or more confident in how they might respond, then it is worth it. We are always open to a conversation.