Jekyll Island Data Breach Update

The Jekyll Island-State Park Authority was subject to a recent data privacy event that may have impacted the security of personal information. While there is currently no evidence that any of this information has been misused, we want to provide you with information about the incident, our response, and steps you may take to better protect against possible misuse of your personal information, should you feel it appropriate to do so.

What Happened.

On September 11, 2020, the Authority discovered an active ransomware attack on its computer systems that may have begun in June 2020. The Authority immediately launched an investigation to determine the nature and scope of the attack. The investigation included working with third-party computer experts and law enforcement officials. As part of the ongoing investigation, it was determined this attack was introduced by an unknown third party that had gained unauthorized access to servers on our computer systems.

Out of an abundance of caution, the Authority began the process of reviewing the potentially affected systems to determine whether any personal information was present on these systems at the time of the incident. This review required an extensive programmatic and manual review of the potentially accessed files. The Authority concluded this review and determined that personal information was present in the affected systems. Since that time, the Authority has been diligently organizing this information and its records for purposes of notifying potentially affected individuals about this incident. To date, we have no information that there has been any actual or attempted misuse of sensitive information related to this incident.

What Information Was Involved?

A review of the system involved determined that certain information was present on the system. This information may have included an individual’s name, address, driver’s license number, Social Security number, bank account number, debit or credit card number, medical records arising out of workers’ compensation claims or through a suit involving the Authority, diagnosis, disability code, or other personal information, or records related to any care, services or supplies you received from Jekyll Island Fire/EMS. Out of an abundance of caution, we are providing notice of this incident because we cannot rule out unauthorized access to this information occurred.

Thankfully, we have been assured by our third-party vendors that credit card information used to pay your parking fee or to pay your utility bills remains encrypted and has not been compromised.

We have received no reports that anyone has experienced fraud or theft as a result of this incident.

What We Are Doing.

The confidentiality, privacy, and security of the sensitive information in our care is one of our highest priorities. Upon learning of the incident, we immediately commenced an investigation to confirm its nature and scope and to identify what information may be affected. We also took steps to prevent further unauthorized access to our system. While we have measures in place beyond those required by the State of Georgia to protect information in our systems, we have invested $25,000 in additional security measures to further safeguard our systems, and we are reviewing our policies and procedures to enhance our existing security.

Why has it taken so long to notify me/the public?

Based on notifications the Authority has received, we believe that our notification is much more timely than others’ known to us. But as with breaches from major companies, notifications do not get distributed immediately because it takes time for information technology professionals and law enforcement personnel to sweep their systems and conduct forensics as the first step in determining any potential data compromises.

However, we did notify our Board of Directors in a public meeting on September 15, 2020 of the breach. Our local newspaper has run two stories on this breach. We updated our Board again in a public meeting on October 20th.

Before the Authority could send out notices to affected individuals, we had to know how many people may have been affected, what information may have been compromised, and collect names and contact information. In addition to the approximately 328 hours IT has invested in handling this attack, nine Authority employees have spent considerable amounts of time on this issue, including checking individual files on each of the nineteen servers for any possible compromised personal information.

Although the Authority was working to set everything in motion to notify the public, it could not finalize the notification process until it had the number of impacted individuals and last known contact information.

How do I receive updates on this incident?

We will continue to update our Board of Directors on any major updates regarding this incident. You can view the meeting minutes at jekyllisland.com/jekyll-island-authority/board-directors.

How many people were affected by this incident?

The hackers could have had access to data affecting over 7,000 individuals and companies who do business with the Authority.

What steps can I take to protect myself?

Always be aware of who has your medical information. You can freeze or unfreeze your credit with the credit bureaus at no cost to you. You will have to call the credit bureaus to do this.

For more information:

If you have additional questions, please call 1-833-531-1171 or email us with your name, contact information, and your question to breach@jekyllisland.com.