The Art Gallery of Ontario told members Wednesday that an internal server had been breached by a third party last month, warning them that their personal information may have been accessed in the process.
The incident occurred between Sept. 9 and Sept. 18, and “impacted” files that had been saved to the AGO’s internal shared server over the past 12 months. It was not immediately clear if the information accessed by the third party had been “misused,” gallery staff said in an e-mail to members.
The gallery’s daily operations are not expected to be affected.
“Immediately upon becoming aware of the incident we engaged security specialists to complete a full investigation and to gain a clearer understanding of the breadth of the incident as well as external legal counsel,” the e-mail said. “Our work has been guided by legal counsel, security specialists and relevant privacy legislation.”
Asked about the extent of the breach, the AGO said that “the vast majority of customer data and credit card information” was not affected,” but that it was notifying “individuals who may have been impacted.” The gallery did not clarify whether staff, donor, or non-member visitor data had been affected.
The AGO is one of the largest art museums in North America. Though its most recent total membership numbers were not immediately clear, the gallery said in November, 2019 that more than 100,000 people had signed up for an annual-pass program that launched that year.
Data breaches have become more common in recent years as hacking methods increase in sophistication; culture and entertainment organizations have been among the targets.
Indigo Books and Music faced a ransomware attack last year that compromised staff members’ personal information. This past July, the federal privacy commissioner said it would investigate Ticketmaster after its global parent company said that a data breach may have affected millions of users’ data worldwide.
