The American Radio Relay League (ARRL) finally confirmed that some of its employees’ data was stolen in a May ransomware attack initially described as a “serious incident.”

ARRL, the National Association for Amateur Radio, said in data breach notifications recently sent to impacted individuals that it detected the “sophisticated ransomware incident” after the attackers breached and encrypted its computer systems on May 14.

After discovering the breach, ARRL took impacted systems offline to contain the incident and hired external forensic experts to help assess the attack’s impact.

In early June, it also revealed that its systems were hacked by a “malicious international cyber group” in a “sophisticated network attack.”

“Our investigation has determined that the unauthorized third party may have acquired your personal information during this incident,” it told individuals whose data was stolen.

“Please know that we have taken all reasonable steps to prevent your data from being further published or distributed, have notified and are working with federal law enforcement to investigate.

“Impacted data may have contained your personal information, including your name, address and social security number.”

In a filing with the Office of Maine’s Attorney General this week, the organization claims that this data breach only affected 150 employees.

Although ARRL said no evidence was found that the stolen personal information was misused, it still decided to provide those impacted by this data breach with 24 months of free identity monitoring through Kroll out of “an abundance of caution.”

ARRL has not linked the attack to a specific ransomware gang, but sources told BleepingComputer that the Embargo ransomware operation was behind this incident.

However, although this ransomware group first surfaced in May and has since added only eight victims to its dark web leak site (some already removed, likely because they paid a ransom), ARRL has yet to be listed.

ARRL stated in the breach notifications that they have taken “all reasonable steps to prevent your data from being further published or distributed,” which could be taken to mean that a ransom was paid to prevent the data from being leaked.

Firstmac Limited, the largest non-bank lender in Australia, is one of the victims who had over 500GB of stolen data leaked on Embargo’s website.