Arts Organizations’ Email Lists Compromised by Ransomware Attack
WordFly Data Security Incident Explained.
The Smithsonian Institution in the US, the Toronto Symphony Orchestra in Canada, the Courtauld Institute of Art in London, and WordFly, a mailing list supplier for prominent arts organizations, all had their data stolen by a ransomware group. Other impacted institutions include Southbank Centre, Royal Shakespeare Company, Royal Opera House, and The Old Vic.
The main WordFly website is currently down and has been inaccessible for the past two weeks. The company recommended on a different website, “Please prepare properly if you need to send email before August 1.” One of the businesses that handles delivering bulk emails to consumers that sign up for said services is WordFly. These emails are often marketing communications.
WordFly executive Kirk Bentley provided an update on the downtime, stating that the company’s engineering team found a network issue on July 10. During the incident, attackers exfiltrated “additional data” that those organizations used to engage with their fans through WordFly, including consumer email addresses. In a support message, he stated:
It is our understanding that as of the evening of July 15, 2022, the data was deleted from the bad actor’s possession. We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked or disseminated elsewhere. We also have no evidence to suggest that any of this information has been, or will be, misused.
According to Bentley, “we feel that the exported data was not sensitive in nature and mostly consisted of names and email addresses.”
The digital marketing company also employed independent forensics and cybersecurity specialists to aid in the inquiry, and claimed that as of right now the “problem has been contained.” However, there is no information on when WordFly will be available again.
Major artistic and cultural institutions, such as the Sydney Dance Company in Australia, have since given their own statements regarding the ransomware attack.
“Visitors’ financial data (including credit card numbers) were not hacked,” The Courtauld told its members.
The Smithsonian, which claims to be the greatest museum, education, and research complex in the world and operates 21 museums and the US National Zoo, reported that some of its data, including the names and email addresses of its subscribers, were compromised during the cyberattack.
We want to let you know about an incident that occurred at a company that we use to send email communications to our community about our programs and events. The company, WordFly, was the victim of a ransomware attack that has made their services unavailable since Sunday, July 10. We were notified on the evening of July 11th that they were experiencing a network disruption rendering their services inaccessible which they later determined was due to a ransomware attack.
On Thursday July 14 they notified us that some of their customer data, namely email addresses and names we upload to their service to send email communications, may have been impacted by this incident. On Friday July 15, WordFly confirmed that, as part of the incident, data we maintain on their service was exported as part of the attack. WordFly has worked with the attackers and shared with us that they believe the information has been deleted and there will be no further misuse of this information.
We want to reassure you that we use this service to facilitate email communication and we do not store any information in the system that is financial or sensitive that could have been exposed by this incident. We will continue to monitor this situation and receive updates from WordFly and the forensic experts assisting them with this incident. If we learn any additional information about the information that was exported or have any reason to believe the data has not been deleted by the attackers, we will update this notice.
WordFly reiterated that it believes “the information has been erased and there will be no future misuse of this information” nonetheless.
The Toronto Symphony Orchestra issued a similar advisory in which it stated that personal data including names, email accounts, member IDs, and information regarding TSO accounts (including donor level and demographic data obtained through surveys), may have been exposed.
The Orchestra has “temporarily teamed” with Mailchimp to communicate its emails to patrons while WordFly’s email service is still unavailable.