Hacker steals nonprofits' data from marketing firm
Constituents' e-mail addresses and passwords pinched, but few groups post alerts
Computerworld - The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including The American National Red Cross, Cooperative for Assistance and Relief Everywhere Inc. (CARE) and the American Museum of Natural History in New York, an Austin-based company said today.
"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio Inc. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."
Previously, Convio had acknowledged that someone had stolen data that it stored for 92 clients of its GetActive system, a Web-based e-mail marketing and online fundraising service used by nonprofits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or nonprofit group -- sometime between Oct. 23 and Nov. 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on Nov. 1.
"The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data or nonprofit contributors' names and mailing addresses were exposed or stolen, Crooke said.
In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by it to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.
Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, which were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in The New York Times.
Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director at a New York-based nonprofit organization.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts