Wordfly is a digital marketing platform that offers email, SMS marketing, forms and surveys for its clients to use with their customers or contacts.
On July 10, Wordfly experienced a ransomware attack that encrypted their environment and disrupted services until July 29, when their status account tweeted:
WordFly has returned to service. Thank you for your tremendous amount of patience and support. More info is coming to your inbox soon. https://t.co/s7YFm0f8U0
— WordFly Status (@wordflystatus) July 29, 2022
WordFly has returned to service. Thank you for your tremendous amount of patience and support. More info is coming to your inbox soon. https://t.co/s7YFm0f8U0
A fuller description of the incident by Wordfly can be found on their site. The statement does not indicate who the bad actor was. Of note, they report that the customer data included “email addresses, names, and other data our customers import or collect via Wordfly.”
In their disclosure, Wordfly also states:
It is our understanding that as of the evening of July 15, 2022, the data was deleted from the bad actor’s possession. We have no evidence to suggest, before the bad actor deleted the data, that the data was leaked or disseminated elsewhere. We also have no evidence to suggest that any of this information has been, or will be, misused.
So how did this deletion happen? Did Wordfly pay a ransom demand? DataBreaches sent an email inquiry to Wordfly days ago but no reply has been received.
Notifications Begin
Some of Wordfly’s clients have started notifying their customers. In its FAQ on the incident, Wordfly had written:
Should I contact my customers?
Due to the generally non-sensitive and public nature of the data that we know was exported so far, as well as our understanding of the nature of this ransomware event, we currently have no evidence to suggest that any of this information has been, or will be, misused to perpetrate harm to the rights and liberties of our customers or their subscribers. You may choose to contact your customers out of an abundance of transparency or if you know you uploaded or collected data in WordFly that is sensitive.
An FAQ for U.S./Canadian/Asian Pacific clients of Wordfly was provided separately, here.
As of yesterday, entities that had already disclosed this breach includes U.S. entities such as the Cleveland Museum of Art, Louisville Zoo, and the Smithsonian National Zoo.
Non-U.S. entities reporting the breach include:
Canadian entities reported by The Globe and Mail: the National Ballet of Canada, Toronto Symphony Orchestra, Canadian Opera Company, Canadian Stage Company, and The Musical Stage Company. Other Canadian entities include OceanWise, the Vancouver Symphony Orchestra, and Winspear.
The National Gallery of Australia and Sydney Dance Company in Australia announced the breach, as did the Royal New Zealand Ballet.
In the U.K., the Box Plymouth and Courtauld Gallery both issued notifications.
The preceding are just a sampling of notices we have found around the web and there are likely many more.
Dissent also contributed to the research and reporting of this incident.