Hacker steals nonprofits' data from marketing firm
Constituents' e-mail addresses and passwords pinched, but few groups post alerts
Computerworld - The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including The American National Red Cross, Cooperative for Assistance and Relief Everywhere Inc. (CARE) and the American Museum of Natural History in New York, an Austin-based company said today.
"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio Inc. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."
Previously, Convio had acknowledged that someone had stolen data that it stored for 92 clients of its GetActive system, a Web-based e-mail marketing and online fundraising service used by nonprofits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or nonprofit group -- sometime between Oct. 23 and Nov. 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on Nov. 1.
"The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data or nonprofit contributors' names and mailing addresses were exposed or stolen, Crooke said.
In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by it to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.
Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, which were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in The New York Times.
Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director at a New York-based nonprofit organization.
- A Survival Guide for Data in the Wild All corporate data used to reside in the data center. Safe and sound behind the corporate firewall. But now, employees have multiple devices...
- Transforming Security: Designing a State-of-the-Art Extended Team The information security mission is no longer about implementing and operating controls.
- The Big Data Security Analytics Era Is Here New security risks and old security challenges often overwhelm legacy security controls and analytical tools.
- Building an Intelligence-Driven Security Operations Center The openness of today's networks and the growing sophistication of advanced threats make it almost impossible to prevent cyber attacks and intrusions.
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!