Internet Security Incident
FOR IMMEDIATE RELEASE - May 16, 2017
CCM announces Internet Security Incident – Possible Data Breach
CONCORD – Earlier this month, Cooperative Christian Ministry (CCM) notified the NC Department of Justice, the Attorney General’s Consumer Protection Division and major consumer reporting agencies of a possible data breach on the ministry’s server used to process and store client data.
In a statement by the organization’s Executive Director, Ed Hosack; “Our technical staff detected an unauthorized user on our server early one morning in April. Staff took immediate steps to disable the user, restrict access and notify our external systems support contractor”.
To date, the ministry and independent support have not detected any other malicious activity, however, the ministry leadership is addressing protocol as if the worst case scenario. The organization’s major focus is on a database of ministry clients from 2004-2011, but all of the data stored on the server was vulnerable up to the present time. In 2012, the ministry converted from a client database that was developed in house to a proprietary data management system with significant functional and security improvements. The raw data used to populate the new system, 2004-2011, was archived in the organization’s main server and was therefore vulnerable to a cyber invasion. “Even after investing in and employing administrative security strategies on an ongoing basis, Hosack said, “we were obviously no match for those who were determined to invade our system.”
The ministry is most concerned about personally identifiable information for approximately 20,000 individuals who were served by the ministry during that period (2004-2011). There are additional clients that came to CCM after that initial time period that could also be notified, but the majority fall between those 7 years. CCM is preparing a mailing to each one of those households notifying them of the possible compromise of their data. The letter meets all requirements of notification, including the type of information that was at risk and recommended steps they may take to protect themselves.
With the guidance of internet security professionals, CCM immediately implemented enhanced security measures and this week is installing additional hardware and software to further secure its technology systems. “Our response to date will cost around $10,000”, Hosack said, “not including the extraordinary staff time that has been dedicated to investigation and mitigation. It is our hope that no data was actually compromised, but we will not assume that.”
“The only potential benefit”, according to Hosack, “is in sharing our misfortune and the lessons learned with our local small business and nonprofit community in the hope of preventing similar hardship.” CCM has received the commitment of a regional cyber security expert to address nonprofit leaders at its Cabarrus County Nonprofit Workshop in August. The organization encourages all local nonprofit leaders to put August 24th on their calendar to be informed by an expert in Cyber Security about the latest concerns and appropriate protective measures.