Scrum.org - Data Breach

1. Dear [XXX],
2.  
3. We value you as a customer of Scrum.org and respect the privacy of your information. This is why, as a precautionary measure, we are writing to let you know about a security incident which involves your personal information. This notice has not been delayed due to a law enforcement investigation.
4.  
5. What Happened?
6.  
7. On May 26, 2016, we noticed an issue with the Scrum.org website outgoing mail server. Upon investigation, we determined that emails used to communicate initial passwords were not being sent. After further investigation, our information technology professionals discovered that some of our mail server settings had been modified and found one new administrator user account. The very next day, we were informed by one of our software vendors that we use to operate the website that their software contained a newly discovered vulnerability, which accounted for the issues we had seen. We immediately confirmed the applicability of the vulnerability and followed all of our vendor’s instructions to ensure the vulnerability was resolved.
8.  
9. What information Was Involved?
10.  
11. While we continue to investigate the matter, we have determined that user’s names, email addresses, encrypted passwords, the password decryption key, and completed certifications and their associated test scores may have been compromised, but at this time we are not able to confirm that any of these items were actually taken, nor is there any evidence that any of this information was used by an unauthorized individual. User’s profile photographs, if uploaded, may also have been compromised. We do not store any other information on our servers. No financial information was involved in this incident.
12.  
13. What We are Doing
14.  
15. In addition to closing the vulnerability as directed by our vendor and deleting the invalid administrator account, we have reset the passwords of all Scrum.org accounts. To continue accessing your account, you will be required to set a new password at your next login. This summer, we are also moving to a new software vendor that provides greater password security.
16.  
17. What You Can Do
18.  
19. If you wish to continue accessing your Scrum.org account, you will be required to change your Scrum.org password. If you use the same or similar passwords on other online services, we recommend that you set new passwords on those accounts as well.
20.  
21. For More Information
22.  
23. If you have any questions, please feel free to contact us at breachinfo@scrum.org.
24.  
25. Thank you,
26.  
27. Dave West
28. CEO
29. Scrum.org