Is nothing sacred anymore? Now, the Louisville Zoo membership information has been breached!
A third-party vendor that the Louisville Zoo uses to send out emails to its patrons was hacked. This is an example of a supply chain cyber attack. (That is when a vendor/partner has legitimate access to a client’s information systems, and a cyber threat actor uses that access to execute an attack, steal data, or launch a ransomware attack.)
According to the press release from the Zoo, the information maintained on the hacked system included names, email addresses, physical addresses, membership numbers, and membership levels. They reassured patrons that no sensitive information (i.e., payment card information) was stored with the service.
While it may seem that the information obtained is not that dangerous, consider for a moment that the information is enough for a threat actor to reach out via email, text or phone call representing themselves as a zoo official asking for payment information, social security number, birthday, etc.
Not only is this an example of supply chain dangers, it should also be a wake-up call for any non-profit or membership-based organization.
For any organization that depends on donations, membership dues, sponsorships, etc., the marketing strategy depends largely on an emotional connection with your members. They believe in your cause. They trust in your work to do good things. And they trust that the support they send is used for those good works.
A breach of data is also a breach of trust. Even though a third-party intrusion is not technically the fault of your team, it is your organization’s name on the press release. It was your organization that utilized that vendor, and the information was data you collected.
What can you do? Implement Vendor Risk Management policies and procedures. Use due diligence to ensure your vendors are well vetted by implementing proper cyber security procedures. And ensure your organization does as well.