Denver Art Museum suffers data breach affecting information of 800 people

As I’ve written in previous blog posts, size doesn’t matter when it comes to the risk of a data breach.  Nor does it matter whether the organization breached is a business or a nonprofit. The Denver Post reported this week that the Denver Art Museum suffered a breach over the summer, affecting personal and financial information of employees, donors, and visitors.

According to the report, the breach occurred as the result of a “phishing” attack, which involves an email sent to someone inside an organization that appears to be legitimate, and contains an attachment or link.  When the recipient clicks on the link or the attachment, malicious software can enter the organization’s computer network. That software may freeze or encrypt the organization’s data until a ransom is paid to release it (so-called “ransomware”).  In the case of the Denver Art Museum, the breach does not appear to be that serious; according to a letter sent by museum officials, the attack did not compromise the museum’s main databases, but did compromise information contained in email inboxes.

Phishing is the fastest growing type of cyberattack, and takes advantage of the fact that most people trust emails that they receive, or don’t know how to recognize suspicious emails.  In this case, the Museum has not released details about the nature of the emails, but here are a couple of lessons that every organization can take away:

  • train employees, at every level of the organization, on how to recognize possible phishing emails, or other suspicious emails.  Also, hackers are making more use of social media such as Facebook, using links in innocent-looking posts
  • Do not keep sensitive information in emails or email inboxes.  Presumably, there were emails in the affected inboxes at the Museum that may have contained attachments with the compromised information.  Sensitive information should be encrypted if sent by email, and attachments containing such data should not be kept in parts of a network that are vulnerable to attack

Every organization and business, no matter it’s size, needs to take steps to thwart cyberattacks.  Raising awareness among employees of the types of attacks and what they look like is just one way to lower the risk of a breach.  If you have more questions, please call me at 720-575-0440 or email me at mark@spitzlegalcounsel.com.