Cyber Incident Victim: WHYY

On June 29, 2023, WHYY, Inc. detected suspicious activity within its computer network. The organization immediately launched an investigation into the event with the assistance of third-party cybersecurity specialists. The investigation determined that an unauthorized actor had gained access to WHYY’s systems on or around that same date, June 29, 2023. The threat actor viewed or copied certain files stored within the company's systems. The specific technical methods of initial access, the duration of access prior to detection, and the specific systems targeted were not detailed in the public disclosure. The primary action confirmed was the viewing and copying of files from the compromised systems.

Following the containment of the immediate threat, WHYY undertook a thorough and time-intensive review of the files involved in the incident. The purpose of this review was to identify the individuals whose personal information was contained within the impacted files and to locate address information so that official notice could be provided to them. This process was described as an abundance of caution to ensure all potentially affected individuals were identified. The review concluded that the compromised data types were limited to name and Social Security number. There was no mention of other personal information, such as addresses, financial data, or health information, being accessed or exfiltrated.

The impact of the incident was the potential exposure of sensitive personal information. WHYY stated it was unaware of any actual identity theft or fraud occurring as a direct result of this event at the time of the notification. However, the exposure of Social Security numbers presents a significant risk of future misuse, including identity theft, fraudulent credit applications, and other forms of financial fraud. The exact number of individuals affected by this data breach was not disclosed in the provided notice.

In response to the incident, WHYY promptly took steps to investigate, assess the security of its systems, and restore functionality to its environment. The company emphasized its ongoing commitment to data security and stated it was working to review and further enhance its existing safeguards for protecting personal information. WHYY also reported the event to federal law enforcement and government regulators as required by law. The notice was not delayed by law enforcement, indicating the investigation had progressed to a point where public notification was permissible.

As a remedial action for those impacted, WHYY offered access to 24 months of complimentary credit monitoring and identity restoration services through the firm Kroll. The services offered included triple-bureau credit monitoring, a current credit report, Web Watcher internet monitoring, Public Persona monitoring, Quick Cash Scan for loan monitoring, $1 million in identity fraud loss reimbursement, unlimited fraud consultation, and full identity theft restoration services provided by licensed investigators. Instructions for activating these services, along with a unique membership number, were enclosed with the individual notification letters. A deadline for activation was provided, though the specific date was redacted in the sample notice.

The notification letter, dated September 8, 2023, provided detailed information on steps individuals could take to protect themselves. This included standard guidance such as reviewing account statements, monitoring credit reports for suspicious activity, and considering the placement of fraud alerts or credit freezes with the three major national credit bureaus: Equifax, Experian, and TransUnion. The notice provided the full contact information for these bureaus, including websites and mailing addresses for requesting fraud alerts and credit freezes. It also directed individuals to resources provided by the Federal Trade Commission for victims of identity theft.

WHYY established a dedicated toll-free assistance line for individuals with additional questions, available on weekdays from 9:00 AM to 6:30 PM Eastern Time, excluding major U.S. holidays. The company expressed that it takes the privacy and security of personal information very seriously and sincerely regretted any inconvenience or concern the incident may have caused. The public disclosure was made via a sample letter posted by the Vermont Attorney General’s office, indicating that affected individuals resided in multiple states, including Vermont, the District of Columbia, Maryland, New York, and North Carolina, as contact information for the attorneys general of those jurisdictions was specifically included in the notice materials.