Cyber Incident Victim: Ohio History Connection

On or about July 9, 2023, the Ohio Historical Society, a non-profit organization operating from 800 E. 17th Ave. in Columbus, Ohio, experienced a significant external system breach. The incident, which was discovered on the same date it occurred, involved an unauthorized party gaining access to the organization's systems through hacking. This breach resulted in the compromise of personal information belonging to a total of 7,600 individuals. Among those affected, sixteen were identified as residents of the state of Maine. The breach did not affect a sufficiently large number of Maine residents to trigger a requirement for notifying consumer reporting agencies, as the threshold of 1,000 was not met.

The specific category of information acquired during this cyber incident was particularly sensitive. The compromised data included the name or another form of personal identifier in combination with financial account numbers or credit and debit card numbers. Critically, this financial information was not accessed in isolation; it was acquired in combination with the corresponding security codes, access codes, passwords, or personal identification numbers (PINs) for those accounts. This combination of data elements significantly increases the potential for fraud and misuse, as it provides attackers with the necessary components to conduct unauthorized financial transactions or commit identity theft.

Legal representation for the Ohio Historical Society in the aftermath of the breach was provided by Wesley Newhouse, who served as General Counsel from the firm Newhouse, Prophater, Kolman & Hogan, LLC. Mr. Newhouse, whose contact information includes the telephone number 6148270901 and the email address [email protected], acted as the attorney and the primary submitter for the entity whose information was compromised. His role involved managing the formal notification process and interfacing with state authorities, including the Office of the Maine Attorney General, to which the breach was reported.

The method of notification chosen to inform affected individuals was written communication. The consumers who were impacted by this data security event were formally notified on August 23, 2023, which was approximately six weeks after the breach was discovered and occurred. A copy of the notice that was sent to the affected Maine residents was filed with the Maine authorities under the title "Breach Notification Letter_static proof r4.pdf." This document likely contained detailed information about the nature of the breach, the specific data exposed, and the steps the organization was taking in response, as well as the protection services being offered.

In response to the breach and recognizing the heightened risk to the affected individuals, the Ohio Historical Society opted to offer identity theft protection services to those impacted. The services were provided through IDX/Zerofox, a known provider in the field of identity protection and cyber risk management. The duration of these services was set for a period of twelve months. Such services typically include credit monitoring, identity monitoring, fraud consultation, and identity theft restoration, providing a crucial safety net for individuals whose personal and financial information has been exposed to malicious actors.

This incident stands alone for the organization within a recent twelve-month period, as there were no previous breach notifications reported from the Ohio Historical Society in that timeframe. The isolated nature of this event, however, does not diminish its seriousness. The compromise of financial data combined with authentication credentials represents a severe intrusion that necessitates a comprehensive response. The offering of a full year of identity protection services indicates the organization's acknowledgment of the severe potential consequences for the victims and represents a standard mitigation effort to help safeguard their financial security and personal identities moving forward.

The reporting of this incident to the Maine Attorney General’s office is part of a broader legal obligation that organizations face when a breach involves the personal information of residents from that state. Maine's data breach notification laws require entities to inform the state authorities and affected individuals when a security breach occurs. The detailed information submitted, including the entity type, the number of residents affected, the date of the breach, and the description of the information acquired, fulfills these regulatory requirements and provides transparency regarding the scope and impact of the incident.

The fact that the breach was both discovered and occurred on the same date, July 9, 2023, suggests that the intrusion may have been detected very quickly, perhaps as it was happening, or that the external attack was immediately apparent to the organization's security systems. Alternatively, it could indicate that the discovery process was instantaneous due to the nature of the attack. The article does not provide further detail on the specific mechanisms of the hack or the exact IT systems that were targeted, but it clearly classifies the event as an external system breach originating from hacking activity.

The Ohio Historical Society, by virtue of being a non-profit organization dedicated to history, likely maintains databases containing information on donors, members, or customers from its operations, which could include online store transactions or membership registrations. The breach of such data underscores the fact that all organizations, regardless of their primary mission, are targets for cybercriminals seeking to monetize stolen personal and financial information. The exposure of 7,600 individuals’ sensitive details highlights the scale of the threat and the importance of robust cybersecurity measures for entities of all types and sizes.

In summary, the incident involved a direct attack on the organization's digital infrastructure, leading to a significant data compromise. The response included a delayed notification process, likely to allow for a thorough investigation and to ensure accurate information was provided to victims, and the provision of protective services to mitigate future harm. The engagement of external legal counsel to manage the regulatory compliance and notification aspects demonstrates the formal and serious approach taken by the organization in addressing the breach and its obligations to those affected. The entire event serves as a documented example of the ongoing challenges posed by external threats to data security.