The Orange County, Calif. branch of the Girl Scouts of America has been hacked, potentially exposing personal information for thousands of members.
Rest assured though: The cookies are safe, even those of the computing type.
According to a letter to members filed with the state [PDF], an “unauthorized third party” managed to gain access to an email account used by the Girl Scouts of Orange County (GSOC), from which they then used to send out emails of their own. While GSOC didn’t elaborate on the type of emails, presumably this was part of a phishing effort.
The deeper issue is that the account has been used to coordinate travel for members in the past, according to GSOC, so it’s possible that the adversary rifled through the inbox and found personal information for as many as 2,800 girls and their families.
Christina Salcido, vice president of mission operations for GSOC, said in the letter that the information floating around in emails in the account included members’ names, birth dates, home addresses, insurance policy numbers and health history. The info could be used for follow-on social-engineering-based attacks, as well as identity theft efforts.
Because minors usually have limited financial histories, criminals find it easier to open fraud accounts using their details, according to a report from Javelin Strategy and Research released earlier this year. That report also noted that more than a million U.S. children were affected by identity fraud last year, resulting in $540 million in out-of-pocket costs for families.
The GSOC account was hijacked only for one day, from Sept. 30 to Oct. 1. “Out of an abundance of caution, we are notifying everyone whose information was in this email account,” Salcido added.
In terms of implementing best practices, she also said that the account’s password has been changed and that GSOC is implementing a secure portal for submitting travel forms; meanwhile, all emails that contain personal information about members have been deleted.
The Girl Scouts ironically just rolled out the group’s first cybersecurity badges for members to earn, in September.