Arts organizations alarmed after WordFly ransomware attack
Jonathan Greig July 27, 2022

Arts organizations alarmed after WordFly ransomware attack

Arts organizations alarmed after WordFly ransomware attack

Arts organizations around the world are expressing concern about the wide-ranging impact of a ransomware attack on WordFly, a tech company providing digital marketing for dozens of the most popular cultural organizations in several countries.

The company handles email and text message marketing for organizations like the Smithsonian, the Toronto Symphony Orchestra, Canada Stage, the Sydney Dance Company in Australia, the Royal Shakespeare Company, the U.K.’s Old Vic Theatre and several other major organizations.

But WordFly’s Kirk Bentley told customers nine days ago that a ransomware attack rendered their “technological environment inaccessible” and encrypted the WordFly application.

Bentley said on July 10, the company hired an outside digital forensics firm and cybersecurity teams to address the issue. 

By July 14, the company confirmed that the ransomware group “exported the email addresses and other data our customers utilize to communicate with their subscribers from our environment to an external location.”

The stolen information includes email addresses, names, and other data customers import or collect via WordFly forms. Several organizations use WordFly for surveys and other customer events. 

“At this time, we believe that the exported data was not sensitive in nature and largely consisted of names and email addresses. It is our understanding that as of the evening of July 15, 2022, the data was deleted from the bad actor’s possession,” said Bentley, who works as the company’s business development director of SaaS products. 

“We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked or disseminated elsewhere. We also have no evidence to suggest that any of this information has been, or will be, misused.”

Bentley said they believe the attack has been “contained” but noted that they are still investigating the incident. 

The company is slowly restoring its services but as of Wednesday, all of its systems remain offline.

WordFly claimed that organizations who had information involved in the breach do not necessarily need to notify their customers because they don’t believe the stolen information “has been, or will be, misused to perpetrate harm to the rights and liberties of our customers or their subscribers.”

They provided organizations with sample statements they can send to subscribers and customers. The statements focus on the lack of credit card numbers or government ID information and claim the data stolen in the attack was “non-sensitive.”

Several organizations have released statements about the incident, despite WordFly’s insistence that the information involved was not serious. 

The Smithsonian said WordFly told them it “worked with the attackers” and confirmed that the stolen data was deleted. They pledged to provide more updates if information from WordFly changed. 

“We want to reassure you that we use this service to facilitate email communication and we do not store any information in the system that is financial or sensitive that could have been exposed by this incident,” Smithsonian said. “WordFly believes the information was deleted, however we wanted to notify you of this incident since this is data you shared with us.”

The Toronto Symphony Orchestra changed email providers and sent a message to its customers, providing the same information the Smithsonian did but adding an additional warning that customers should be wary of any emails asking for personal information. They urged customers to watch for any unauthorized charges in their accounts. 

“In particular, remain vigilant of any communications that refer to your relationship with the Orchestra,” the organization said, according to IT World Canada. “The Orchestra will never ask you to provide payment, financial or other confidential information via email.”

Several organizations across Australia, the United Kingdom and more sent similar messages to customers and subscribers. 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.