By Gregg Keizer
November 28, 2007
The FBI is investigating the theft of e-mail addresses and passwords
from nearly 100 nonprofit organizations, including the American Red
Cross, CARE and the American Museum of Natural History in New York City,
a Texas company said today.
"The FBI is involved now, so we won't be making any additional comment,"
said Tad Druart, the director of corporate communications at Convio Inc.
of Austin, Tex. "But we have identified the problem and shut down the
breach. And we've put security components in place to make sure it
doesn't happen again."
Previously, Convio had admitted someone had stolen data that it stored
for 92 clients of its GetActive platform, a Web-based e-mail marketing
and online fundraising service used by non-profits, associations, and
colleges and universities. The unknown attacker(s) made off with e-mail
addresses and passwords -- the latter used by the donors to manage their
accounts with the charity or non-profit group -- sometime between Oct.
23 and Nov. 1, the company said earlier this month. Data culled from
another 62 Convio clients was awaiting retrieval by the attacker when
Convio discovered the breach and locked down its databases on Nov. 1.
"The intruder obtained a login and password belonging to a Convio
employee," wrote Dave Crooke, a company staffer, on a mailing list
followed by non-profit professionals. "It appears that their PC was
compromised, but we are still investigating." No credit card account
data, or non-profit contributors' names and mailing addresses, were
exposed or stolen, Crooke said.
In a message posted to its Web site, Gene Austin, Convio's CEO,
apologized for the breach and urged anyone affected by the breach to
change passwords and be on the watch for targeted phishing attacks. "If
you use the same e-mail address and the same password for any other
online service, such as your bank or PayPal, places where you shop
online, or online e-mail accounts at services like Yahoo, we recommend
that you change your password with those providers as soon as possible,"
Convio, however, didn't notify people directly that their e-mail
addresses and passwords had been pinched, but instead reported the theft
to all its GetActive clients, who were then responsible for e-mailing
their constituents. The American Red Cross, for instance, warned about
278,000 people linked to one of its newsletters, according to reports in
the "New York Times."
Few organizations affected by the Convio breach, however, went to the
extra effort of posting an alert on their own Web site, something that
bothers a former IT director for a New York City non-profit.
"Convio did the right thing," said Allan Benamer, who once worked with
the Coalition for the Homeless and now writes the Non-profit Tech Blog.
"They at least notified people promptly. But the non-profits didn't take
the second step and put it on their site. If the constituents missed the
e-mail, they were on their own."
One of the few was TechSoup, a technology Web site for non-profit
organizations. TechSoup posted detailed information on its site, and
highlighted the breach on its home page. About 3,000 people who had
registered with the site to receive its newsletter had their e-mail
addresses and passwords taken by the Convio hacker.
Benamer was dismayed that by his count only two groups have publicized
the breach on their sites. "Two out of 154, that's a terrible record. If
154 banks were affected by a breach, do you think only two would
disclose it on their Web site?"
While non-profits may have hesitated to broadcast the breach for fear of
losing contributors, especially during the season when donations spike,
Benamer said that was short-sighted. "I don't get it," he said. "They
may be serving the letter of notification, but not the spirit." And in
economic terms, downplaying the problem is an unsound strategy; affected
donors might abandon their favorite non-profit because of the secrecy.
"Non-profits are held to a higher standard," said Benamer. "They have to
show that they're more honest [than for-profits]."
Visit InfoSec News