Cyber Incident Victim: WordFly
Date:
Jul 2022
Location:
United States of America
Summary
A ransomware attack targeted a digital marketing company serving major arts organizations globally, rendering its technological environment inaccessible and encrypting its application. The attackers exported customer data including email addresses and names collected through marketing forms, but the company asserted the information was not sensitive and claimed the stolen data was subsequently deleted by the threat actors without evidence of misuse or dissemination. While the incident was reportedly contained, all systems remained offline during restoration efforts. Affected clients—including prominent cultural institutions—issued public advisories urging vigilance despite the company's reassurances that subscriber data exposure did not necessitate formal notifications due to perceived low risk of harm.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around July 1, 2022, WordFly—a digital marketing service provider specializing in email and SMS communications for arts and cultural organizations—experienced a ransomware attack that encrypted its application and rendered its technological environment inaccessible. The company’s business development director, Kirk Bentley, informed customers on July 10 that external digital forensics and cybersecurity teams had been engaged to investigate the incident. By July 14, forensic analysis confirmed that attackers had exported subscriber data from WordFly’s systems to an external location. The compromised data included email addresses, names, and information collected through customer forms, such as survey responses or event registrations. WordFly asserted the stolen data was not sensitive, primarily consisting of contact details, and reported that the attackers deleted the exported information by the evening of July 15. The company found no evidence that the data was leaked, disseminated, or misused prior to its deletion. While WordFly claimed the attack had been contained, its investigation remained ongoing, and all systems stayed offline as of July 10, with gradual service restoration efforts underway.
The incident disrupted operations for numerous high-profile clients globally, including the Smithsonian Institution, Toronto Symphony Orchestra, Canada Stage, Sydney Dance Company, Royal Shakespeare Company, and the Old Vic Theatre. WordFly advised affected organizations that customer notifications were unnecessary due to the non-sensitive nature of the data and its deletion by the attackers. However, several clients independently issued public statements and took precautionary measures. The Smithsonian acknowledged WordFly’s engagement with the attackers to secure data deletion but reserved the right to update stakeholders if new information emerged. The Toronto Symphony Orchestra migrated to a different email provider and alerted subscribers to monitor for unauthorized activity. Similar warnings were disseminated by organizations in Australia, the U.K., and elsewhere, reflecting sector-wide concern over potential risks despite WordFly’s assurances. The attack impaired core WordFly services—including campaign sending, tracking, reporting, inbox previews, media hosting, and form management—leaving clients without critical marketing tools during the outage.