Breach Report: NYC Metropolitan Opera suspected ransomware/breach affects 45,000+

One-sentence summary:

A December 2022 suspected ransomware attack on the NYC Metropolitan Opera affected over 45,000 consumers and “froze” operations, with victims notified nearly 8 months after the breach started.

Who was involved?

The NYC Metropolitan Opera, 45,094 consumers, and a threat actor.

What was the timeline?

September 30, 2022: Threat actor gains initial access to the Met

December 6, 2022: Metropolitan Opera detects the breach and stops it, suffers service outage (Bilefsky, 2022)

December 15, 2022: The Met restores services (Bilefsky, 2022)

May 3, 2023: Metropolitan Opera begins consumer notification

What occurred?

The Metropolitan Opera was breached for over two months before becoming the victim of a suspected ransomware attack in December 2022 (Basta, 2023; Bilefsky, 2022). During the attack, operational costs were significant as IT-based services suffered an outage during a peak holiday season (Bilefsky, 2022). Finally, victims are being notified potentially almost 8 months after the breach of potentially having their sensitive data breached, potentially including: “name, financial, account information, tax identification number, Social Security number, payment card information, and driver’s license number” (The Metropolitan Opera, 2023, p. 2).

Estimated costs:

Incident response costs, breach notification costs, operational costs and downtime (~$200k/day season=~$1.4 million partially impacted) (Bilefsky, 2022), 12 months Kroll identity services, M-F call center

Involved laws:

State: Maine: 10 M.R.S.A. § 1346

Root cause:

TBA or N/A (see disclaimer)

Lessons learned:

TBA or N/A (see disclaimer)

Sources:

Basta, S. (2023). Data Breach Notifications. In Privacy, Identity Theft and Data Security Breaches. Office of the Maine Attorney General. Retrieved May 7, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/478d1a19-4c27-4d7f-8808-69a49696ccb1.shtml

Bilefsky, D. (2022, December 15). Met Opera’s Website and Box Office Are Back, 9 Days After Cyberattack. The New York Times. https://www.nytimes.com/2022/12/15/arts/music/met-opera-cyberattack.html

The Metropolitan Opera. (n.d.). untitled. YouTube. https://yt3.googleusercontent.com/ytc/AGIKgqNqAMhv_nv4yg7Ydj7PqQg9Yef-bWxETS5F7OTv=s900-c-k-c0x00ffffff-no-rj

The Metropolitan Opera. (2023). The Metropolitan Opera – Notice of Data Event – ME.pdf. In Data Breach Notifications. Office of the Maine Attorney General. Retrieved May 7, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/478d1a19-4c27-4d7f-8808-69a49696ccb1.shtml

About Post Author

Kyler Kent CISSP

I am a Threat Hunting and Intelligence Specialist and am a progressive, aspiring cyber leader. I am currently based in Dallas, with a holistic and multidisciplinary background. I am a lifelong learner– constantly seeking education and training opportunities. I maintain several cybersecurity and IT certifications. I also maintain two Texas DPS private security licenses. Finally, I have a master’s degree from Georgetown University’s SCS Cybersecurity Risk Management program. https://linktr.ee/kentprotect.com Corrections: [email protected]

http://kylerkent.com