Bravox Ransomware Hits Salvation Army — Three Things Australian NFPs Should Check This Week

On 23 May the Bravox ransomware group listed The Salvation Army on its leak site, claiming a hit against a service portfolio that includes emergency aid, rehabilitation and community support, as tracked by Ransomware.live. It’s the third ransomware claim against the charity in twelve months — Chaos in 2025, Interlock with an alleged 93GB and 1.6 million donor records late last year, now Bravox. That isn’t bad luck. That’s a pattern.

For Australian NFPs the lesson is uncomfortable. Charities run lean, often on donated IT, with a lot of part-time staff and goodwill substituting for proper access controls. Attackers know this. Donor databases are gold — names, addresses, donation amounts, often birth dates and bank details — perfect for impersonation scams that recycle the charity’s own brand against its supporters. Under the Privacy Act and the Notifiable Data Breaches scheme, that data is treated the same way as a bank’s. A serious notifiable breach now exposes your board to real personal scrutiny, not just reputational pain.

Three things to check this week. First, who has admin access to your CRM, finance system and donor database — and do any of those accounts belong to volunteers, former staff or shared mailboxes? Cut what you don’t need. Second, do you have offline, immutable backups of your donor and financial data, tested in the last 90 days? If “backup” means a synced Dropbox folder, that won’t survive ransomware. Third, when did your team last do phishing awareness training? Most ransomware still walks in through a single misclick.

If you’re a charity unsure where to start, our NFP IT team does this kind of baseline security review regularly — sized to a charity’s reality, not an enterprise checklist.