If you’re a former GetActive client [UPDATE 11/5/2007]: (and you were unlucky enough to have your Convio system hacked), you might have just received an e-mail that reads like this:
Convio has identified a security attack against our GetActive software systems that has resulted in your constituent data being accessed by an unauthorized third-party. We take this attack very seriously and are committed to working with you to minimize the impact on your organization and your constituents. The third-party sought to download email addresses and, in some instances, member passwords. There was no loss of credit card data. We are confident that this is the extent of the breach:
Only certain clients on the GetActive software platform were affected. No clients using the Convio software platform were affected.Unauthorized downloads of email addresses and member passwords were conducted against 92 GetActive clients, including your organization. Preparations for similar downloads were made against an additional 62 GetActive clients, but were not executed and did not result in data loss.
The breach occurred between October 23 and November 1, 2007.
We discovered the breach late in the day on November 1, and worked through the night and all day on Friday to make sure we understood fully the severity and how to help you through the situation.
The attack was carried out by an outside party who temporarily gained limited access to our systems. As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft.
We are notifying you and all other affected clients, as well as those that were not affected so that they understand the situation. We are working over the weekend to provide further information and support and will update you on Monday with the latest information.
What you should do next
We recommend that you notify those constituents with user-created passwords that may have been disclosed. Some of these individuals may use the same email address and the same password with multiple online service providers. Notifying these members will help protect them against compromise of their other online accounts. At the bottom of this message you will find a sample email we have prepared.Members with user-created passwords are a subset of your full email list. To help your organization communicate with these individual[sic], we have provided a query within your dashboard that can be used to identify this segment of your list. Additional instructions for your GetActive platform administrator are provided below. Please feel free to contact your account manager, who is aware of this situation and will be available to provide support and further updates.
We will provide further guidance about whether we recommend additional notification regarding disclosures that involved only email addresses and any additional updates on Monday. At that time, we will also provide you with a dedicated 800 number and Web page to provide ongoing updates.
Security breaches are bound to happen and Convio did the right thing in notifying its clients as quickly as it could. There’s an additional web site that offers advice to your constituents at http://www.convio.com/onlinesecurity I’m seeking more details from Convio regarding some items that cropped up in the e-mail. My questions are:
- There was an outside firm that notified Convio of the breach. What does that company do? E-commerce? Hosting? Networking?
- Also, do you have technical details on how this was done? Was it a social engineering attack, XSS or some other method?
It’s too soon to get more details out but I had to break this news so that you former GetActive clients can start communicating with your constituents.
Loading ...
