Cyber Incident Victim: Orange County Branch of the Girl Scouts of America

On September 30, 2018, unauthorized actors gained access to an email account operated by the Girl Scouts of Orange County (GSOC), maintaining control until October 1, 2018. The compromised account was historically used to coordinate travel arrangements for members, exposing personal information of approximately 2,800 individuals including scouts and their families. Attackers exploited this access to send messages from the account during the breach window. GSOC confirmed the exposure of names, birth dates, and home addresses for affected members. For some individuals, compromised data extended to insurance policy numbers and health history details, as disclosed in a notification letter from Christina Salcido, GSOC's Vice President of Mission Operations. The organization identified the breach through unspecified detection methods and terminated unauthorized access by October 1.

GSOC initiated member notifications by October 22, 2018, alerting all individuals whose data resided in the compromised email account regardless of confirmed access. The organization deleted all emails containing member data from their systems as a containment measure. Security enhancements were implemented for the travel coordination portal associated with the breached account. Cybersecurity experts subsequently warned that exposed personal information could facilitate social engineering attacks targeting affected families. No ransomware deployment, financial theft, or secondary system compromises were reported in connection with the incident. The breach remained confined to the single email account's contents with no evidence of broader network infiltration.