Threat actors have claimed a cyber attack on an Australian energy management and consulting firm and are threatening to release allegedly stolen data in a number of days.
Energy Action is an Australian firm that aims to highlight energy usage inefficiencies and encourage good energy management, ensuring that businesses can avoid “bill shock” and can push towards net zero emissions, a commitment that it itself has already achieved.
Energy Action was listed on the dark web leak site of the SafePay ransomware gang on 1 May.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
While SafePay has not disclosed any details of the incident, it has threatened to leak the data it allegedly stole from the company in just over two days at the time of writing.
The company has not yet publicly disclosed the incident. Cyber Daily has reached out to Energy Action and is currently awaiting a response.
Who is SafePay?
SafePay was first observed in October 2024 and has claimed more than 450 victims since then.
The group has been observed targeting businesses in Australia, the United Kingdom, the United States, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina.
According to the group, it is not a ransomware-as-a-service (RaaS) operation.
“SafePay ransomware has never provided and does not provide the RaaS,” SafePay said on its leak site.
The group’s most recent Australian victim was South Australia-based genealogy non-profit, Genealogy SA.
Genealogy SA was listed on the dark web leak site of the SafePay ransomware gang on 16 April, with the group threatening to publish the data a number of days after the listing was made.
The group has since uploaded data it claims to have stolen from the company, including business, financial and insurance documents, historic genealogical data, personal details in correspondence, internal templates and labels, and more.
Speaking with Cyber Daily, Genealogy SA said it was aware of the claims and that it has since contained the incident.
“We are aware of the claims made by SafePay. This relates to an incident that was discovered by us back in February 2026,” the company said.
“Immediately at the time of discovering the incident, we engaged cyber security experts to contain and investigate the incident. We can confirm that the incident is resolved, and we have communicated with our members about the incident.”
SafePay was also responsible for a ransomware attack on IT giant Ingram Micro in July 2025, which led to the company contacting more than 42,000 individuals whose personally identifiable information (PII) had been compromised by the hackers.
Want to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Daniel Croft
Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
Tags: