On December 2, the U.S. Fund for Unicef discovered that it had been hacked on or about November 4. Upon discovery, they immediately disabled and disconnected the server from the network, and arranged for forensic examination. The investigation confirmed that only the one server was involved, but that personal information – including names, phone numbers, credit card numbers with CVV codes (and expiration dates, if provided) and e-mail addresses were accessed. In some cases, bank account information was accessed.
The Fund notified an unspecified number of affected individuals on January 6 and offered them credit monitoring and identity theft restoration services with AllClear ID. They noted that they had no reports of misuse, but had established a confidential privacy line for those affected to call if they had questions or required assistance understanding the advice on how to protect themselves.
You can read their notification to the state and affected individuals on the New Hampshire Attorney General’s website.
While their response was admirable, it’s not clear why they were storing credit card information and bank account numbers. Were these stored for recurring monthly donations? If not, why were they stored, and why weren’t they encrypted? The Fund did not mention specific steps it was taking to ensure that this type of incident didn’t happen again, but not storing such information and/or encrypting all PII would sure seem like an important step.