A cyberattack on Radio Free Asia compromised the data of nearly 4,000 people, the non-profit news service has announced.
Radio Free Asia (RFA) is a US government-funded private news service that broadcasts radio programs and publishes online news and commentary for audiences in Asia. The service provides reportage to Asian countries with poor media environments and limited freedom of speech.
“On June 28, 2022, we became aware of the Incident within our email system which indicated unauthorized access to a limited number of servers,” the outlet said in a letter to those affected.
“Out of an abundance of caution and immediately following detection, RFA took systems offline and took measures to address and contain the Incident including launching an investigation, engaging data privacy and security professionals, working with law enforcement, changing passwords, and migrating to a new cloud-based email environment.”
The attackers made off with Social Security, driver’s license and passport numbers, as well as names, addresses, state ID numbers, health insurance information, medical data, and some financial info, according to the notice.
The unauthorized access is blamed on a service provider’s vulnerability, “unknown by RFA at the time of the compromise.”
The news station says there is no evidence the attackers misused the stolen information, but as cyber incidents often go, it’s only a matter of time before the perps seek to sell the data on the dark web.
“Upon becoming aware of the Incident, we immediately implemented measures to further improve the security of our systems and practices,” the letter continues. “We worked with a leading privacy and security firm to aid in our investigation and response, and we are reporting this Incident to relevant government agencies.”
Affected parties are offered two years of free credit monitoring through EQUIFAX, with RFA advising those affected by the breach to regularly monitor free credit reports and review account statements, and report any suspicious activity to financial institutions.
RFA spokesperson Rohit Mahajan reportedly said his organization was never contacted by the attackers, suggesting the hack was not purely financially motivated.