Cyber Incident Victim: YMCA of Central Florida

On October 24, 2017, the YMCA of Central Florida discovered that an unauthorized individual had gained access to several employees' email accounts. The organization immediately disabled the compromised accounts, reset passwords, and initiated an investigation with assistance from a leading forensic firm. The subsequent forensic analysis revealed that the intruder may have accessed emails primarily containing information related to program registrations. While the investigation confirmed unauthorized access to the email accounts, the YMCA found no evidence that any information within the emails had been viewed or misused. The compromised data potentially included names, Social Security numbers, driver's licenses, passports, financial account details, payment card numbers, health information, and health insurance identification numbers.

Nearly six years after detecting the breach, on November 22, 2023, the YMCA began notifying potentially affected individuals as a precautionary measure. The organization established a dedicated call center operational Monday through Friday from 9 a.m. to 9 p.m. Eastern Time to address inquiries and provided a website with incident details. Individuals whose Social Security numbers were potentially exposed received offers for one-year complimentary credit monitoring and identity protection services. The YMCA attributed the delayed notification to the absence of evidence indicating actual data misuse. In response to the incident, the organization implemented additional privacy education and training for staff members to prevent future security breaches. The YMCA emphasized its commitment to community trust while acknowledging the incident affected its network of over 415,000 annual participants across 26 Central Florida locations.