TSO warns customers after names, email addresses compromised in ransomware attack

The Toronto Symphony Orchestra is warning its patrons that some of their personal information may have been compromised in a recent ransomware attack.

In an email sent out to patrons Monday afternoon, the TSO said that its email provider, WordFly, became aware of a “network disruption” on July 10.

“We have come to learn that WordFly was subject to a ransomware attack,” the TSO said in its email. “As part of the incident, the attacker exported customers’ information from the WordFly environment, including patron information that WordFly was handling on behalf of the TSO.”

A ransomware attack typically involves cybercriminals infiltrating the target’s computer systems and locking them down until a ransom is paid.

In this case, the attacker encrypted WordFly’s data and exported it several days later.

WordFly told the TSO that there is “no evidence” to suggest the data was misused or made publicly available.

“Further, WordFly’s understanding is that the data has now been deleted from the attacker’s possession,” the orchestra said.

The compromised information included names, email addresses, TSO patron IDs and other information such as donor level and survey responses, which could include demographic data like age, gender and ethnicity.

Payment and financial data were not compromised in the breach, the TSO said.

The TSO said that it has temporally partnered with another email provider, Mailchimp, in order to stay in touch with its patrons.

The organization said that it is informing patrons about the incident “out of an abundance of caution” and advised them to remain vigilant about suspicious emails or phone calls which might try to fraudulently obtain further information and to check accounts for unauthorized charges or transactions.

“Please accept our sincere apologies,” the orchestra said. “We take the security of our data and systems very seriously, and we value the trust that you place in us.”

WordFly has been down for two weeks since the breach was discovered. On a website set up to provide updates to customers, the vendor said that it has “retained experts” to restore its systems.

“It is our understanding that as of the evening of July 15, 2022, the data was deleted from the bad actor’s possession,” the company said in a statement a week ago. “We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked or disseminated elsewhere. We also have no evidence to suggest that any of this information has been, or will be, misused.”

Leave a Comment