July 26th, 2021

Notice of Data Breach

Community Foundation was the target of a cyberattack earlier this year. Upon discovery, we performed a password reset for the affected email account as well as for all of our financial accounts. We changed a number of our data practices. We have sought out additional training to learn how we can better defend against future such attacks. We retained a law firm with expertise in these matters to make certain that we followed all legal requirements for cyberattack response.

We swiftly engaged a third-party team of forensic experts to perform a full forensic investigation to determine the incident’s scope. Following a full and thorough investigation, it was confirmed that only one (1) employee email account was subject to unauthorized access during this incident. We immediately investigated whether the affected email account contained individuals’ sensitive information. Following a thorough investigation, we determined that the unauthorized access may have allowed access to a limited number of individuals’ personal information.

We have informed all those potentially affected by this data security incident with a letter sent to anyone who may have had some Personally Identifiable Information (PII) exposed to the attackers. While we have no evidence to suggest that any of the impacted information was viewed or misused during this incident, it is crucial that we be as supportive and transparent as possible. The personal information that could have been accessed by the unauthorized individual(s) may have included first and last name, in combination with bank account number and routing number, or a credit/debit card number with an expiration date.  It is important to note that we never store any credit card information and we never request social security numbers nor birthdates.

In the letters sent we offered information about steps that can be taken to help protect information, and to let those affected know about complimentary credit monitoring services that we are offering. These services are recommended to those affected but are optional. Registering will require you to enter some personal information to establish your identity with the monitoring service.

If you have not received this letter, that means we have determined that your PII was not exposed during this attack.

We take the privacy and security of all information very seriously. We express our deepest regret for any worry or inconvenience that this incident may cause you. If you have concerns or questions, please email CEO George Ferrari.