Notification of a Cybersecurity Incident

March 10, 2022

We take the privacy and security of our donors’, artists’, patrons’, employees’, and partners’ personal information very seriously and would like to let you know of a recent cybersecurity incident that we experienced.  This incident has been contained and is not ongoing.  Based on our investigation, our donation and payment processing systems were not compromised in this incident and the donation portal on our website remains secure and safe to use.

We are providing this statement to explain the incident, the personal information that may have been impacted, the measures we have taken in response, and the steps you should consider taking to help protect your information and identity.

ABOUT THE INCIDENT

On October 21, 2021, TSM learned from a third party that the email account of one of TSM’s employees may have been accessed by a third party without authorization.  We promptly initiated a cybersecurity response and launched an investigation to determine the nature and scope of the incident.  We also engaged a cybersecurity firm to assist in securing our email systems, investigating the incident, and identifying any potentially compromised information.  

The investigation has determined that an unauthorized third party accessed, and may have acquired information from, the email account of a single TSM employee between at least August 11, 2021 and October 18, 2021.  We have successfully terminated this unauthorized access and have reported the incident to law enforcement.  The cybersecurity firm we hired has also conducted a review of the data that was potentially impacted to identify individuals and entities whose sensitive information may have been affected.  We then worked with the cybersecurity firm to compile contact information for such potentially impacted individuals and entities.  That process was completed on February 7, 2022.

PERSONAL INFORMATION IMPACTED

We have reached out directly, via email or mail, to all donors whose personal information (beyond name and donation amounts) may have been compromised and to all affected artists, patrons, employees, and partners whose contact information we have been able to locate.  In those notifications, we informed affected individuals about this incident and the categories of their personal information that may have been compromised. 

In addition, certain limited personal information relating to a number of artists and program applicants for whom we have been unable to locate contact information may also have been affected by this incident.  This includes:

  • The names and dates of birth of applicants to TSM’s 2019 and 2020 Art of Song program; and
  • The names and certain application- or contract-related information (such as honorarium amount) for a small number of artists previously engaged by TSM and a TSM summer student applicant.

WE ARE TAKING A NUMBER OF STEPS FOR YOUR PROTECTION

Safeguarding our donors’, artists’, patrons’, employees’, and partners’ information is essential to us, and we will continue to invest in hardening our defences. We have put in place additional security measures to help prevent a similar incident and will utilize the information revealed in the analysis of this incident to further strengthen the security of our network, systems, and information. We will also continue to collaborate fully with any law enforcement investigation into this incident.

STEPS YOU CAN TAKE TO MINIMIZE RISKS TO YOUR INFORMATION

While we are not aware of any public disclosure of any compromised information or use of any compromised information for fraudulent purposes, we encourage all potentially affected individuals—and in fact all of our website visitors—to take steps to protect themselves against potential misuse of any compromised information.  You should:

  • Keep an eye out for phishing emails, solicitation letters, voice messages, text messages, and other fraudulent communications.  Unless you contact us, we will not call or text you asking for personal information regarding this cybersecurity incident.  We will also never ask you for your credit card details via email or for any account password in any form of communication.  If you receive such a fraudulent communication from someone impersonating TSM, do not click on any links, download any files, or reply to the communication.  Instead, please let us know about it using the contact details below.
  • Periodically order a copy of your credit report from both of the major credit reporting agencies in Canada, TransUnion and Equifax, free of charge. Once you receive your reports, review them for suspicious activity and notify the credit agencies if any information is incorrect. You can obtain your report from TransUnion here or by calling 1-800-663-9980 and you can obtain your report from Equifax here or by calling 1 800-465-7166.
  • Monitor your financial and other accounts for unusual or suspicious activity that you do not recognize. Contact the relevant financial institution or company immediately if you spot any unusual activity.
  • Monitor your mail for any change or disruptions. Report any irregularities in your mail delivery to Canada Post.
  • Consult additional resources, such as the Government of Canada’s Get Cyber Safe website and the Canadian Anti-Fraud Centre, to inform yourself further about cybersecurity and steps you can take to protect yourself online.

The above information is subject to change. If we learn more, we will update this website to provide additional information.

HOW TO GET IN CONTACT WITH US

If you have any questions, please call me at 647-430-5699 ext. 113, Monday through Friday, between 9:30 a.m. and 4:30 p.m. Eastern Time.  The security of your personal information is important to us and we apologize that this incident occurred and for the inconvenience it is causing.

Sincerely,

Vanessa J. Goymour
Executive Director
Toronto Summer Music Foundation

Frequently Asked Questions

We realize that a cybersecurity incident of this nature may cause you concern. The following FAQs are being provided to assist you in understanding the incident and to provide you with answers to your questions.

Based on our investigation, our donation and payment processing systems were not compromised in this incident and the donation portal on our website remains secure and safe to use.  That said, your personal information may still have been included in the compromised TSM employee email account and could therefore have been affected by this incident.  If that is the case, you have or will hear from us:  we have reached out directly, via email or mail, to all donors whose personal information (beyond name and donation amounts) may have been compromised in this incident.

The compromised data contained a variety of personal information relating to certain donors, artists, patrons, employees, partners, and other third parties.  We have reached out directly, via email or mail, to all donors whose personal information (beyond name and donation amounts) may have been compromised and to all affected artists, patrons, employees, partners, and third-parties whose contact information we have been able to locate.  With respect to the potentially affected artists and program applicants for whom we have been unable to locate contact information, the potentially compromised data includes their names, dates of birth, and certain application- or contract-related information (such as honorarium amount).

While we are not aware of any public disclosure of any compromised information or use of any compromised information for fraudulent purposes, you should monitor your credit card statements and financial accounts for unusual or suspicious activity that you do not recognize.  Contact the relevant financial institution immediately if you spot any unusual activity.  You should also periodically order a copy of your credit report from both of the major credit reporting agencies in Canada—TransUnion and Equifax—free of charge.  Once you receive your reports, review them for suspicious activity and notify the credit agencies if any information is incorrect.  You can obtain your report from TransUnion here or by calling 1-800-663-9980 and you can obtain your report from Equifax here or by calling 1 800-465-7166.

We encourage you to also take the following steps to protect yourself against potential online risks and misuse of your information:

  • Keep an eye out for phishing emails, solicitation letters, voice messages, text messages, and other fraudulent communications. Unless you contact us, we will not call or text you asking for personal information regarding this cybersecurity incident.  We will also never ask you for your credit card details via email or for any account password in any form of communication.  If you receive such a fraudulent communication from someone impersonating TSM, do not click on any links, download any files, or reply to the communication.  Instead, please let us know about it using the contact details below.
  • Consult additional resources, such as the Government of Canada’s Get Cyber Safe website and the Canadian Anti-Fraud Centre, to inform yourself further about cybersecurity and steps you can take to protect yourself online.

Should you have any questions or concerns about this cybersecurity incident, please contact our Executive Director Vanessa Goymour at 647-430-5699 ext. 113.