Hacker steals nonprofits' data from marketing firm
Constituents' e-mail addresses and passwords pinched, but few groups post alerts
Computerworld - The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including The American National Red Cross, Cooperative for Assistance and Relief Everywhere Inc. (CARE) and the American Museum of Natural History in New York, an Austin-based company said today.
"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio Inc. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."
Previously, Convio had acknowledged that someone had stolen data that it stored for 92 clients of its GetActive system, a Web-based e-mail marketing and online fundraising service used by nonprofits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or nonprofit group -- sometime between Oct. 23 and Nov. 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on Nov. 1.
"The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data or nonprofit contributors' names and mailing addresses were exposed or stolen, Crooke said.
In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by it to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.
Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, which were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in The New York Times.
Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director at a New York-based nonprofit organization.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!