Some San Diegans’ personal information provided to Jewish Family Service exposed online

Jewish Family Service of San Diego, a prominent nonprofit aid organization, exposed thousands of messages, some with identifying information from people seeking help with everything from paying rent to escaping abusive relationships.

The social-services charity, which helps people in crisis regardless of their faith, learned of the data breach Monday night, after a San Diego Union-Tribune reporter stumbled upon the material online. More than 5,000 messages submitted through the public contact form on the organization’s websites over the past two years were made public.

Jewish Family Service declined to respond to specific questions but issued a statement saying it took immediate steps to resolve the data breach.

“On February 22, 2021, after being contacted by The San Diego Union-Tribune, Jewish Family Service became aware of a vulnerability on its website,” it said. “We take the security of our data extremely seriously and have taken steps to secure the website. We have engaged cybersecurity experts to conduct legal and forensic investigations, to determine the nature and scope of the incident. We are willing to provide additional information as we learn more.”

Based on a preliminary investigation, the problem appeared limited to a single contact form on the website, which the organization fixed within hours of its discovery, the charity said.

Some of the messages exposed online contained personal identifying information, including addresses, phone numbers, dates of birth, and Social Security and passport numbers. Email addresses, drivers license numbers and refugee and immigration case information also were included in some of the messages posted on the internet.

It appeared that only the date and body of messages sent through the online contact form were exposed, because some users had typed personal information into a text box.

Jewish Family Service of San Diego was established in 1918 and has become one of the largest social-services providers in the region. It reported $32.4 million in revenue and $24.9 million in expenditures in the year ending June 30, 2019, according to its most recent publicly available tax return.

Last July, the charity announced that it was one of many nonprofit organizations that experienced security breaches related to a ransomware attack on Blackbaud, a major financial and fundraising technology provider used primarily by nonprofits.

In October, the nonprofit Identity Theft Resource Center reported that 144 organizations and 7 million people had been affected.

The 2020 data breach included “donor name and contact information, and may have also included telephone numbers, email addresses, and mailing addresses; and a brief history of donors’ relationships with JFS up to that point, such as donation dates and giving amounts,” charity officials said last year.

The nonprofit has been a lifeline for many people in San Diego and beyond for more than a century, providing assistance to tens of thousands of people each year, its annual reports state. It awarded millions of dollars in cash grants for people in crisis and provided desperately needed services such as car loans and safe overnight parking for people living in their vehicles.

Jewish Family Service also serves as a resource for various government agencies, including social workers seeking to connect their clients with public benefits.

Dozens of the exposed messages were from grateful clients, thanking the organization for helping them get through rough patches in their lives and setting them back on a track to self-sufficiency.

The messages also showed how deeply many San Diego County residents have been affected by the COVID-19 pandemic. Several of the writers said they had tried and failed to find help elsewhere and didn’t know what to do.

A handful of the messages appeared to be from charity administrators, testing the form’s functionality or conveying messages internally. Several simply said “test.”