CFPC Breach Notification

2024-04-04

CFPC Breach Notification

This past October, a threat actor accessed CFPC systems, removed data from the network, and attempted to encrypt the College’s systems.  
The encryption attempt was unsuccessful, and we immediately shut down access to our network, gathered evidence, and notified law enforcement.

We were able to verify the security of College systems. Our member database and our email system were not affected.

Data removed from our system included:

• Some staff members’ personal information stored locally.
• A backup of an older member database, containing member names, addresses, license information, and date of birth.
• A backup of an older financial system which contained payee names, addresses, email, and direct deposit information.
• Donor reports for the Foundation for Advancing Family Medicine, containing names and donation amounts.

We understand that span of time since unusual activity was identified until now appears lengthy; however, during this time we have been in contact with cyber security experts and conducted an in-depth investigation, including to confirm the specific nature of the data that were affected.

Our investigation is complete, and we have closed the vulnerability which caused the threat actor to access our system.

Working with law enforcement, the threat actor’s overseas group is well known. At this time, there is no evidence that exfiltrated data are available on the dark web.

The College continues to work closely with cyber security experts to safeguard our systems. The College has invested in live 24/7/365 monitoring of our systems, proactive dark web monitoring, and staff training and have contacted anyone affected.