The Denver Art Museum warned 800 people this month of a data breach that included sensitive personal and financial information about its donors, customers, and current and former employees, according to a letter obtained by The Denver Post.
The letter, dated Oct. 9, informed recipients of the “data security incident” over the summer, as well as the museum’s discovery of the breach on Sept. 13, which triggered a forensic investigation by an unnamed third-party firm.
The unauthorized access began on or about June 5, and ended on or about June 27, the letter said. The breach occurred through an email phishing scam and affected two of the museum’s email inboxes, said Andrea Fulton, chief marketing officer for the Denver Art Museum.
“We have no evidence that anybody’s data has been compromised,” Fulton said. “None of our big databases were impacted. It’s simply content that was in a couple of email inboxes.”
Fulton declined to explain how the information was accessed, or why sensitive personal and financial details were stored in the email inboxes. The information included first and last names, physical addresses, birth dates, credit card information (including credit card number, verification codes and expiration dates), Social Security numbers, bank account numbers, driver’s license numbers and passport numbers, according to the letter.
Art museum officials have not filed a report with Denver Police and still do not know who was behind the attack.
“We are conducting a thorough review of the potentially affected computer systems and will notify you if there are any significant developments,” said the letter, which was attributed to the Denver Art Museum.
Museum officials also have retained risk-mitigation company Kroll to provide free identity monitoring for one year to the affected people, and has encouraged them to call 866-599-4455 with any questions.
“It was the right thing to do,” Fulton said.
Consumer credit reporting agency Equifax offered a similarly free credit reporting and identity-monitoring service after news of a massive hack of its electronic databases, which potentially compromised the personal information of 145.5 million Americans.
The art museum has not heard from any affected people, and has not lost any donors or members as a result, Fulton said. Affected people were notified as soon as the third-party investigation was finished. The Denver Art Museum has about 30,000 members, Fulton said.
“Unfortunately, in the world today, when you’re talking about data breaches, people understand that this happens,” Fulton said. “Obviously we’ve taken precautions to try to guard against this, but we haven’t had any negative reaction from it. We reacted as quickly as we possibly could and notified everyone that we felt needed to be notified.”
