Hacker steals nonprofits' data from marketing firm
Constituents' e-mail addresses and passwords pinched, but few groups post alerts
Computerworld - The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including The American National Red Cross, Cooperative for Assistance and Relief Everywhere Inc. (CARE) and the American Museum of Natural History in New York, an Austin-based company said today.
"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio Inc. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."
Previously, Convio had acknowledged that someone had stolen data that it stored for 92 clients of its GetActive system, a Web-based e-mail marketing and online fundraising service used by nonprofits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or nonprofit group -- sometime between Oct. 23 and Nov. 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on Nov. 1.
"The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data or nonprofit contributors' names and mailing addresses were exposed or stolen, Crooke said.
In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by it to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.
Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, which were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in The New York Times.
Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director at a New York-based nonprofit organization.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!