Genealogy SA, Australia's largest family history society, has confirmed a cyber incident after the SafePay ransomware gang listed the non-profit on its dark web leak site and claimed to have stolen and published internal data. The Adelaide-based organisation, founded in 1973, supports more than 4,300 members and roughly 230 volunteers engaged in genealogical and heraldic research.

What Happened

SafePay added Genealogy SA to its dark web leak portal on 16 April 2026, threatening to publish allegedly exfiltrated data within days if demands were not met. The non-profit, previously known as the South Australian Genealogy & Heraldry Society, has since confirmed it experienced a cyber incident. The listing appears to have progressed to publication, following SafePay's standard double-extortion playbook of pressuring victims with a public countdown before releasing stolen records.

What Was Taken

Specific data categories and volume have not been publicly itemised, but genealogical organisations typically hold highly sensitive personal records: member identity details, family trees, birth and death records, contact information, payment data for membership dues, and volunteer rosters. Much of this material is inherently linked to living relatives, meaning the blast radius of any leak extends well beyond the 4,300 direct members. For a research-focused non-profit, decades of scanned archives and donor records may also be at risk.

Why It Matters

Non-profits and community organisations remain high-value soft targets for ransomware crews like SafePay because they combine sensitive personal datasets with constrained security budgets and limited dedicated IT staff. Genealogical data is particularly attractive for downstream abuse, including identity fraud, social engineering attacks that leverage family relationships, and answers to knowledge-based authentication questions such as mother's maiden name. This incident also reinforces SafePay's continuing focus on Australian and mid-market victims through 2026.

The Attack Technique

Initial access details for the Genealogy SA intrusion have not been disclosed. SafePay, first observed in late 2024, has historically favoured access via compromised VPN and RDP credentials, exploitation of unpatched edge devices, and the abuse of valid accounts lacking multi-factor authentication. The group deploys a Windows-targeting locker and routinely exfiltrates data before encryption to support its double-extortion model, with stolen data posted to a Tor-hosted leak site when ransom demands are refused.

What Organizations Should Do

• Enforce phishing-resistant MFA on all remote access, VPN, email, and administrative accounts, and retire any standalone RDP exposure.
• Patch internet-facing appliances (VPN concentrators, firewalls, file transfer servers) on an aggressive cycle and hunt for known SafePay indicators on perimeter devices.
• Segment member and donor databases from general staff and volunteer workstations, and restrict bulk export rights behind auditing and approval workflows.
• Maintain offline, immutable backups of member records and archival data, and rehearse restoration timelines against a realistic ransomware scenario.
• Deploy EDR with behavioural detections tuned for credential dumping, shadow copy deletion, and mass file encryption typical of SafePay tradecraft.
• Prepare a breach notification playbook tailored to the Australian Privacy Act and OAIC reporting obligations, including communications for members whose genealogical and contact data may be exposed.

Sources: Exclusive: SA genealogical research firm confirms cyber incident following SafePay ransom claims