Toronto Symphony Orchestra Statement: WordFly Data Security Incident
Safeguarding and protecting the privacy and confidentiality of our patrons is a top priority of the Toronto Symphony Orchestra. We want to make you, our patrons, aware of a data security incident involving one of our service providers. While we have no evidence of any of our patrons’ information being misused, in the spirit of full transparency and in abundance of caution, we want to let you know what happened, what personal information was involved, what we are doing, and what you can do.
On July 10, 2022, our email provider, WordFly, became aware of a network disruption that rendered their technology inaccessible. We have come to learn that WordFly was subject to a ransomware attack. As part of the incident, the attacker exported customers’ information from the WordFly environment, including patron information that WordFly was handling on behalf of the TSO. WordFly assures us that there is no evidence to suggest that the data was misused for any purpose by this attacker, nor made publicly available. Further, WordFly’s understanding is that the data has now been deleted from the attacker’s possession. If you wish to learn more, you can read WordFly's statements on the incident, which are available on WordFly’s website. The TSO’s own systems were not impacted by this incident.
What personal information was involved?
Your payment and financial data were not compromised in any way by this incident. Personal information potentially impacted includes your name, email address, TSO Patron ID and information about your TSO account (e.g. donor level, credit on account status, gift certificate status). It may also include personal information certain patrons have volunteered to the TSO when responding to a survey, such as demographic information (age range, gender, ethnicity) and opinions on the TSO.
What is the TSO doing?
As WordFly works to restore service, the TSO has temporarily partnered with leading email provider Mailchimp to ensure minimal disruption to our patron communications, so that you can remain connected to your Toronto Symphony Orchestra. We continue to work with WordFly to learn as much as we can about the incident, and to ensure enhanced security measures will be employed to prevent future incidents.
What do you need to do?
Again, we reiterate that payment and financial data was not affected in any way by this incident and that there is no evidence of any misuse of patrons’ information.
Out of an abundance of caution, we wanted to inform you of this incident and recommend good security practices you can take to protect yourself:
- Remain vigilant to the risks of phishing: be cautious of emails, text messages, or phone calls that request that you provide personal information or contain links or attachments, even when originating from trusted individuals or companies. In particular, remain vigilant of any communication referencing your relationship with the TSO. The TSO will never ask you to provide payment, financial or other sensitive information by email.
- Check your accounts for unauthorized charges and transactions.
- Use strong passwords for your personal and financial accounts. Avoid using the same passwords across various services and change your passwords regularly.
Please accept our sincere apologies. We take the security of our data and systems very seriously, and we value the trust that you place in us.
If you have any questions, please contact our team by email at email@example.com or by calling Patron Services at 416.598.3375.