Data from charities’ donors hacked

Hackers obtained access last month to the e-mail addresses and passwords of thousands of donors to 92 charities that use online database software and services from Convio Inc. Among the charities are CARE and the American Museum of Natural History. There is no evidence that anyone has used the information to engage in fraud, but several charities have notified donors of the breach and advised them to consider changing passwords if they use the same password for other purposes. Convio, of Austin, Texas, which works primarily with charities, discovered the breach Nov. 1 and told clients about it two days later, said Tad Druart, a spokesman.

About a week later, the company notified an additional 62 nonprofit groups that similar information about their donors might have been compromised, although there was no evidence that it had been downloaded, Druart said.

He said the problem affected only users of GetActive, a business that was acquired by Convio almost a year ago. “The investigation is continuing,” Druart said.

News of the breach was reported as the year-end giving season starts. A growing number of donors use the Internet to make their gifts, and experts said some charities might have been reluctant to inform them about the breach out of fear that it would affect donations.

“This wasn’t the best time for this to happen,” said Beth Kanter, a consultant and blogger. “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.”

The breach set off a lively blog discussion about how the affected charities should respond.

Allan Benamer, who writes the Non-Profit Tech Blog, reported on the problem early in the month. By Nov. 14, Benamer could identify just four organizations that had notified donors –, CARE, the Museum of Natural History and Credo Mobile, a for-profit wireless communications business that works to enlist customers’ support for progressive causes.

“This is a disturbing trend and shows that nonprofits don’t understand the nature of security,” Benamer wrote.

Convio, which is conducting an initial public offering, would not say how many individuals might be affected. But given the size of the organizations, the number may reach into the hundreds of thousands.

The American Red Cross, which uses GetActive to distribute a newsletter about blood services and was in the second group to learn of the problem, said up to 278,000 e-mail addresses had been compromised. Passwords were also at risk in 1,351 instances, said Stephanie Millian, a spokeswoman for the Red Cross. The organization sent letters to those people Nov. 14, alerting them to the potential problem and offering advice about addressing it.

Nicole Forsyth, president and chief executive of United Animal Nations, an animal assistance group that was among the first organizations told of the breach, said more than 7,000 of its 20,000 online newsletter subscribers were affected and that some were angry.

“We’ve had losses,” Forsyth said. “About 2 percent of our online subscribers have unsubscribed.”

CARE, which uses Convio to e-mail constituents and handle online donations, sent notices to 31,000 people, or 15 percent of those registered through its Web site.

Leave reply

Back to Top