Florida YMCA notifies 12K people of data breach compromising SSNs

YMCA of Central Florida over the weekend confirmed it notified 11,954 people of a May 2024 data breach that compromised the following info:

• Names
• Social Security numbers
• Financial account numbers
• Personal health information
• USCIS numbers
• Passport numbers
• Dates of birth
• Driver’s license numbers
• Mailing addresses

Ransomware gang LockBit claimed responsibility for the breach in early June. It posted what it says are scans of IDs and other documents as proof of its claim.

YMCA has not verified LockBit’s claim. We don’t yet know whether YMCA paid a ransom, how much LockBit demanded, or how attackers breached YMCA’s network. Comparitech contacted YMCA of Central Florida for comment and will update this article if it replies.

The YMCA’s notice to victims states, “On May 20, 2024, YMCA detected it was the target of a cybersecurity incident. An unauthorized third party attempted to infiltrate the YMCA’s computer network and access internal department files.”

YMCA is offering eligible victims, who could be at risk of identity theft, 12 months of free credit monitoring via Cyberscout. The deadline to enroll is 90 days from the date on the notice letter.

Who is LockBit?

LockBit first appeared in 2019 and has claimed responsibility for thousands of ransomware attacks. In addition to date theft, the Russian cybercrime group’s malware encrypts computer systems so they can’t be used until a ransom is paid for a key to decrypt them.

Comparitech researchers logged 77 confirmed ransomware attacks claimed by LockBit so far in 2024, affecting 8.3 million records. Most of those attacks (69) happened in the first half of the year.

LockBit further claimed 338 attacks in the first half of the year that weren’t acknowledged by targets. The gang’s activity dropped off in the second half of this year with only 86 unconfirmed claims.

Other recently revealed LockBit victims include attorney Harwood Lloyd and Redwood Coast Regional Center, which serves people with developmental disabilities. The former notified 2,602 people after LockBit demanded a $2.5 million ransom in April 2023, and the latter notified 24,937 people of a March 2024 data breach claimed by LockBit.

Ransomware attacks in the USA

So far in 2024, we tracked 496 ransomware attacks on US companies, affecting 155,067,230 records. The average ransom is $2.64 million.

In other recent ransomware news, Inszone Insurance Services notified 21,829 people following a February 2023 attack claimed by Hunters International. Project Hospitality, another nonprofit, is now issuing data breach notifications following a July 2024 attack by Rhysida, which demanded 15 BTC in ransom (worth $867,000 at the time).

Another 1,682 ransomware attacks were claimed but not confirmed against targets in the US this year.

About YMCA of Central Florida

YMCA of Central Florida operates 18 facilities in and around Orlando. It was first formed in 1885.

YMCA is a youth organization based in Geneva, Switzerland with more than 64 million members and 12,000 branches worldwide. Their facilities provide athletic facilities, host classes and workshops, promote Christianity, and do humanitarian work.

YMCA is a federation, meaning each individual YMCA is affiliated with a national organization.