August 7, 2020

Dear Community Member,

We are writing to let you know about a data security incident that may have involved you and other members of your family’s personal Federation-related information. This might also involve data of minor children, if you should have any living in your household at this time. This notice is a legal mandatory response to the breach, however, we feel very confident in the successful outcome. It is also important to note that Federation does not store information about your credit card or bank accounts, so that information was never in jeopardy.

What Happened
We were recently notified by one of our third-party service providers of a security incident. At this time, we understand they discovered and stopped a ransomware attack. After discovering the attack, the service provider’s Cyber Security team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking access and fully encrypting files; and expelled them from their system. Prior to locking out the cybercriminal, a copy of our backup file containing your personal Federation-related information was removed by the cybercriminal. This occurred at some point beginning on February 7, 2020, and could have been in there intermittently until May 20, 2020.

What Information Was Involved
As noted before, Federation never stores information about your credit card or bank accounts, so that information was never in jeopardy. However, we have determined that the file removed may have contained your contact information, demographic information, and a history of your relationship with our organization, such as donation dates and amounts. Because protecting donors’ data is our top priority, along with this service provider, the cybercriminal’s demand was addressed and confirmation was received that the copy they removed has been destroyed.

What We Are Doing
As part of their ongoing efforts to help prevent something like this from happening in the future, our third-party service provider has already implemented several changes that will protect your data from any subsequent incidents. First, the provider’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. Additionally, they are accelerating efforts to enhance and strengthen security. The third-party service provider, its forensics experts, and law enforcement will continue to monitor all web locations for any indication that the data has not been deleted.

What You Can Do
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities. The Attorney General for the State of Missouri can be reached at ago.mo.gov or 573-751-3321. The major national credit reporting services are TransUnion (transunion.com), Equifax (Equifax.com), and Experian (Experian.com).

For More Information
We sincerely apologize for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact Diana Matthis, Manager, Technology & Central Services at Federation, at 314-442-3882 or DMatthis@JFedSTL.org.

Sincerely,
Donald Hannon
Chief Operating Officer
Jewish Federation of St. Louis

Sam March
Author: Sam March