Cyber Incident Victim: Volunteers of America Chesapeake & Carolinas
Date:
Feb 2021
Location:
United States of America
Summary
A phishing email incident at Volunteers of America Chesapeake & Carolinas compromised a limited number of email accounts, exposing personal information including names, Social Security numbers, financial account details, payment card data, driver's license numbers, and limited medical information. While unauthorized access occurred, the organization found no evidence of actual data viewing or misuse. Affected individuals were notified through mailed letters where addresses were available, with public notices and a dedicated call center established for others potentially impacted. The nonprofit implemented enhanced security measures following the incident to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 25, 2021, Volunteers of America Chesapeake & Carolinas (VOACC) publicly disclosed a phishing email incident that compromised a limited number of email accounts within its computer environment. The unauthorized access occurred after attackers successfully executed a phishing campaign, though the exact timeline of initial intrusion and duration of access was not specified in public reporting. Exposed information included names paired with sensitive identifiers such as Social Security numbers, financial account details, payment card numbers, driver's license numbers, and limited medical or health data. VOACC explicitly stated it could not confirm whether unauthorized actors actually viewed personal information and noted no evidence of subsequent misuse. The organization initiated direct mail notifications on the disclosure date to affected individuals for whom address records existed, supplemented by a public notice for those without verified contact information. A dedicated call center (855-761-1067) operated during Central Time business hours was established to address inquiries.
VOACC implemented additional security measures following the incident to prevent recurrence, though technical specifics of these controls were not detailed in public communications. Impacted individuals were directed to a PDF resource on VOACC's website outlining general data protection guidance, though this document did not describe the attack vector or forensic findings. The organization maintained consistent messaging that the incident stemmed solely from email account compromise via phishing, with no indication of broader network infiltration or malware deployment. No ransomware claims, data extortion attempts, or attacker affiliations were referenced in official statements. While VOACC acknowledged the presence of health information among exposed data, it did not specify whether this triggered HIPAA reporting obligations or involved protected health records from specific programs. The notification process adhered to standard regulatory timelines without reference to law enforcement investigations or third-party forensic audits.