Cyber Incident Victim: Scrum.org

On May 26, 2016, Scrum.org detected an anomaly involving its website’s outgoing mail server, which had stopped delivering emails containing initial passwords to users. An internal investigation revealed unauthorized modifications to the mail server’s configuration settings and the presence of a newly created administrator account not authorized by the organization. The discovery prompted immediate scrutiny of the website’s infrastructure, though the initial focus remained on restoring email functionality. No explicit timeline was provided for how long the mail server had been compromised prior to detection. The incident coincided with a critical vulnerability disclosure from one of Scrum.org’s software vendors, though the vendor’s identity and the nature of the vulnerability were not disclosed in the notification to users.

On May 27, 2016, Scrum.org received formal confirmation from its software vendor that a newly discovered vulnerability in the vendor’s product had enabled the breach. The organization validated the vulnerability’s applicability to its systems and implemented all remediation steps recommended by the vendor to secure the website. Scrum.org’s forensic analysis determined that attackers potentially accessed user names, email addresses, encrypted passwords, the cryptographic key used to decrypt those passwords, completed certification records, test scores, and user profile avatars. However, the organization stated it could not confirm whether any data was exfiltrated or misused, and no evidence suggested unauthorized exploitation of the compromised information. Financial data was not stored on the affected systems and remained unaffected. Scrum.org notified users of the incident but did not publicly disclose additional technical specifics regarding the attack vector or the duration of unauthorized access.