Hacker steals non-profits' data from marketing firm

Hacker steals non-profits' data from marketing firm
Hacker steals non-profits' data from marketing firm 

By Gregg Keizer
November 28, 2007 

The FBI is investigating the theft of e-mail addresses and passwords 
from nearly 100 nonprofit organizations, including the American Red 
Cross, CARE and the American Museum of Natural History in New York City, 
a Texas company said today.

"The FBI is involved now, so we won't be making any additional comment," 
said Tad Druart, the director of corporate communications at Convio Inc. 
of Austin, Tex. "But we have identified the problem and shut down the 
breach. And we've put security components in place to make sure it 
doesn't happen again."

Previously, Convio had admitted someone had stolen data that it stored 
for 92 clients of its GetActive platform, a Web-based e-mail marketing 
and online fundraising service used by non-profits, associations, and 
colleges and universities. The unknown attacker(s) made off with e-mail 
addresses and passwords -- the latter used by the donors to manage their 
accounts with the charity or non-profit group -- sometime between Oct.
23 and Nov. 1, the company said earlier this month. Data culled from 
another 62 Convio clients was awaiting retrieval by the attacker when 
Convio discovered the breach and locked down its databases on Nov. 1.

"The intruder obtained a login and password belonging to a Convio 
employee," wrote Dave Crooke, a company staffer, on a mailing list 
followed by non-profit professionals. "It appears that their PC was 
compromised, but we are still investigating." No credit card account 
data, or non-profit contributors' names and mailing addresses, were 
exposed or stolen, Crooke said.

In a message posted to its Web site, Gene Austin, Convio's CEO, 
apologized for the breach and urged anyone affected by the breach to 
change passwords and be on the watch for targeted phishing attacks. "If 
you use the same e-mail address and the same password for any other 
online service, such as your bank or PayPal, places where you shop 
online, or online e-mail accounts at services like Yahoo, we recommend 
that you change your password with those providers as soon as possible," 
Austin recommended.

Convio, however, didn't notify people directly that their e-mail 
addresses and passwords had been pinched, but instead reported the theft 
to all its GetActive clients, who were then responsible for e-mailing 
their constituents. The American Red Cross, for instance, warned about 
278,000 people linked to one of its newsletters, according to reports in 
the "New York Times."

Few organizations affected by the Convio breach, however, went to the 
extra effort of posting an alert on their own Web site, something that 
bothers a former IT director for a New York City non-profit.

"Convio did the right thing," said Allan Benamer, who once worked with 
the Coalition for the Homeless and now writes the Non-profit Tech Blog. 
"They at least notified people promptly. But the non-profits didn't take 
the second step and put it on their site. If the constituents missed the 
e-mail, they were on their own."

One of the few was TechSoup, a technology Web site for non-profit 
organizations. TechSoup posted detailed information on its site, and 
highlighted the breach on its home page. About 3,000 people who had 
registered with the site to receive its newsletter had their e-mail 
addresses and passwords taken by the Convio hacker.

Benamer was dismayed that by his count only two groups have publicized 
the breach on their sites. "Two out of 154, that's a terrible record. If 
154 banks were affected by a breach, do you think only two would 
disclose it on their Web site?"

While non-profits may have hesitated to broadcast the breach for fear of 
losing contributors, especially during the season when donations spike, 
Benamer said that was short-sighted. "I don't get it," he said. "They 
may be serving the letter of notification, but not the spirit." And in 
economic terms, downplaying the problem is an unsound strategy; affected 
donors might abandon their favorite non-profit because of the secrecy.

"Non-profits are held to a higher standard," said Benamer. "They have to 
show that they're more honest [than for-profits]."

Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods