Hacker steals non-profits' data from marketing firm

Data on 92 clients of a Web-based e-mail marketing and online fundraising service stolen.

The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including the American Red Cross, CARE and the American Museum of Natural History in New York City, a Texas company said Wednesday.

"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio of Texas. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."

Previously, Convio had admitted someone had stolen data that it stored for 92 clients of its GetActive platform, a Web-based e-mail marketing and online fundraising service used by non-profits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or non-profit group -- sometime between October 23 and November 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on November 1.

"The intruder obtained a login and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list followed by non-profit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data, or non-profit contributors' names and mailing addresses, were exposed or stolen, Crooke said.

In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by the breach to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.

Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, who were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in the "New York Times."

Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director for a New York City non-profit.

"Convio did the right thing," said Allan Benamer, who once worked with the Coalition for the Homeless and now writes the Non-profit Tech Blog. "They at least notified people promptly. But the non-profits didn't take the second step and put it on their site. If the constituents missed the e-mail, they were on their own."

One of the few was TechSoup, a technology Web site for non-profit organizations. TechSoup posted detailed information on its site, and highlighted the breach on its home page. About 3,000 people who had registered with the site to receive its newsletter had their e-mail addresses and passwords taken by the Convio hacker.

Benamer was dismayed that by his count only two groups have publicized the breach on their sites. "Two out of 154, that's a terrible record. If 154 banks were affected by a breach, do you think only two would disclose it on their Web site?"

While non-profits may have hesitated to broadcast the breach for fear of losing contributors, especially during the season when donations spike, Benamer said that was short-sighted. "I don't get it," he said. "They may be serving the letter of notification, but not the spirit." And in economic terms, downplaying the problem is an unsound strategy; affected donors might abandon their favorite non-profit because of the secrecy.

"Non-profits are held to a higher standard," said Benamer. "They have to show that they're more honest [than for-profits]."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?