The FBI is investigating the theft of e-mail addresses and passwords from nearly 100 nonprofit organizations, including the American Red Cross, CARE and the American Museum of Natural History in New York City, a Texas company said Wednesday.
"The FBI is involved now, so we won't be making any additional comment," said Tad Druart, the director of corporate communications at Convio of Texas. "But we have identified the problem and shut down the breach. And we've put security components in place to make sure it doesn't happen again."
Previously, Convio had admitted someone had stolen data that it stored for 92 clients of its GetActive platform, a Web-based e-mail marketing and online fundraising service used by non-profits, associations, and colleges and universities. The unknown attacker(s) made off with e-mail addresses and passwords -- the latter used by the donors to manage their accounts with the charity or non-profit group -- sometime between October 23 and November 1, the company said earlier this month. Data culled from another 62 Convio clients was awaiting retrieval by the attacker when Convio discovered the breach and locked down its databases on November 1.
"The intruder obtained a login and password belonging to a Convio employee," wrote Dave Crooke, a company staffer, on a mailing list followed by non-profit professionals. "It appears that their PC was compromised, but we are still investigating." No credit card account data, or non-profit contributors' names and mailing addresses, were exposed or stolen, Crooke said.
In a message posted to its Web site, Gene Austin, Convio's CEO, apologized for the breach and urged anyone affected by the breach to change passwords and be on the watch for targeted phishing attacks. "If you use the same e-mail address and the same password for any other online service, such as your bank or PayPal, places where you shop online, or online e-mail accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible," Austin recommended.
Convio, however, didn't notify people directly that their e-mail addresses and passwords had been pinched, but instead reported the theft to all its GetActive clients, who were then responsible for e-mailing their constituents. The American Red Cross, for instance, warned about 278,000 people linked to one of its newsletters, according to reports in the "New York Times."
Few organizations affected by the Convio breach, however, went to the extra effort of posting an alert on their own Web site, something that bothers a former IT director for a New York City non-profit.
"Convio did the right thing," said Allan Benamer, who once worked with the Coalition for the Homeless and now writes the Non-profit Tech Blog. "They at least notified people promptly. But the non-profits didn't take the second step and put it on their site. If the constituents missed the e-mail, they were on their own."
One of the few was TechSoup, a technology Web site for non-profit organizations. TechSoup posted detailed information on its site, and highlighted the breach on its home page. About 3,000 people who had registered with the site to receive its newsletter had their e-mail addresses and passwords taken by the Convio hacker.
Benamer was dismayed that by his count only two groups have publicized the breach on their sites. "Two out of 154, that's a terrible record. If 154 banks were affected by a breach, do you think only two would disclose it on their Web site?"
While non-profits may have hesitated to broadcast the breach for fear of losing contributors, especially during the season when donations spike, Benamer said that was short-sighted. "I don't get it," he said. "They may be serving the letter of notification, but not the spirit." And in economic terms, downplaying the problem is an unsound strategy; affected donors might abandon their favorite non-profit because of the secrecy.
"Non-profits are held to a higher standard," said Benamer. "They have to show that they're more honest [than for-profits]."