Skip the navigation

Hacker steals nonprofits' data from marketing firm

Constituents' e-mail addresses and passwords pinched, but few groups post alerts

November 28, 2007 12:00 PM ET

Computerworld - The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including The American National Red Cross, Cooperative for Assistance and Relief Everywhere Inc. (CARE) and the American Museum of Natural History in New York, an Austin-based company said today.

"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio Inc. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."

Previously, Convio had acknowledged that someone had stolen data that it stored for 92 clients of its GetActive system, a Web-based e-mail marketing and online fundraising service used by nonprofits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or nonprofit group -- sometime between Oct. 23 and Nov. 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on Nov. 1.

"The intruder obtained a log-in and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list used by nonprofit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data or nonprofit contributors' names and mailing addresses were exposed or stolen, Crooke said.

In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by it to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.

Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, which were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in The New York Times.

Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director at a New York-based nonprofit organization.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!