For the past several months, HFHC has been dealing with a significant and malicious data breach which has severely handicapped our ability to efficiently conduct business and has hijacked our attention for the last several months. The tech company we are now working with states in its letter of findings that “In 17 years of business support RangerTek has not come in contact with a network and server that has had this level of security failure. Further RangerTek has not seen this level of malicious attack on a server”.
Though we struggle to comprehend why we would be targeted for such an attack, our team began working immediately to determine the extent of the breach, to recover as many files as possible, and to not only meet of legal obligation for notification but also to put credit and identity theft monitoring and repair services in place for any individuals affected. We now feel we know enough to share with you, and to further commit to complete transparency on not only what we have learned but on our process moving forward.
Critical Data Breach: What Affiliates Need to Know
- HFHC’s email was not included in the breach, as our email is hosted on the cloud and not on our server; therefore there is no need to be concerned about data transmitted between us via email.
- No credit card information, either from donors or affiliates, was compromised as HFHC uses a third party portal.
- Compromised personal information is limited only to documents that included first and last name, address, date of birth, and either a social security number or driver’s license number. At this time we believe this only includes HFHC staff and applicants specific to USDA loans and FHLB subsidies. Per our document retention policy, we do not store that data physically; however any document scanned onto our server may have been breached. Your affiliate may be contacted requesting additional information to assist us in properly notifying applicants.
- HFHC has enlisted the following professional services to assist us:
- RangerTek – forensic IT services to determine the point and extent of the breach and to decrypt and recover data
- AllClear ID – Notify any individuals whose personal data may have been compromised, offer credit and identity theft monitoring and repair for a one-year period
- FBI – notified and submitted report outlining extensiveness of data breach