The Art Gallery of Ontario has told members that an internal server had been breached by a third party last month, warning them that their personal information may have been accessed in the process.
The incident occurred between Sept. 9 and 18, and “impacted” files that had been saved to the AGO’s internal shared server over the past 12 months, gallery staff said in an e-mail Wednesday to members. It was not immediately clear if the information accessed by the third party, which has not yet been publicly identified, had been “misused,” the e-mail says.
The Toronto gallery’s daily operations are not expected to be affected.
“Immediately upon becoming aware of the incident we engaged security specialists to complete a full investigation and to gain a clearer understanding of the breadth of the incident as well as external legal counsel,” the e-mail says.
“Our work has been guided by legal counsel, security specialists and relevant privacy legislation.”
Asked about the extent of the breach, the AGO said that “the vast majority of customer data and credit card information” was not affected, but that it was notifying “individuals who may have been impacted.” The gallery did not clarify whether staff, donor or non-member visitor data had been affected.
The AGO is one of the largest art museums in North America. Though its most recent total membership numbers were not immediately clear, the gallery said in November, 2019, that more than 100,000 people had signed up for an annual-pass program that launched that year.
Data breaches have become more common in recent years, as hacking methods increase in sophistication; culture and entertainment organizations have been among the targets.
Indigo Books and Music faced a ransomware attack last year that compromised staff members’ personal information. This past July, the federal privacy commissioner said it would investigate Ticketmaster after its global parent company said a data breach may have affected millions of users’ data worldwide.