OK, this isn’t how I pictured the blog showing up in the New York Times, but the whole Convio affair has just been covered by Stephanie Strom of the New York Times. Thanks to Beth Kanter for directing the reporter to me. It turns out the affair might be worse than we thought:
About a week later, the company notified an additional 62 nonprofit groups that similar information about their donors might have been compromised, although there was no evidence that it had been downloaded, Mr. Druart said.
That would bring it to 154 nonprofits that may have been affected. And we’re finally seeing more nonprofits in our list (UPDATE 11/29/2007 10:18 AM: I’m adding some nonprofits that have been mentioned on Don’t Tell the Donor. They are EarthJustice, Five Moms Campaign and University of Connecticut Foundation.)
- American Museum of Natural History
- American Red Cross
- Credo Mobile (Working Assets) (website notification)
- Earthjustice (mentioned by Care2 user, Dusty W.)
- Five Moms Campaign (mentioned by Five Moms subscriber Kash58)
- Log Cabin Republicans
- Michigan Equality
- UPDATE (11/27/2007 6:27 PM EST) National Park Conservation Association (press release issued)
- Techsoup (website notification)
- United Animal Nations
- University of Connecticut Foundation (website notification) ID’d by Don’t Tell the Donor
(UPDATE 11/29/2007 10:24 AM: Earthjustice deserves some additional chiding here for trying to keep their breach under wraps. I tried to deliver a warning to them that hiding this stuff isn’t going to work and sure enough, one of their users lifted the veil on Care2, the largest online community for nonprofit constituents. Good job, Earthjustice. And when you folks advocate for greater transparency on the part of coal mining companies or nuclear plant operators, be aware that that knife can cut both ways.)
An anonymous commenter also adds the SEIU at both the international and local level. If you can confirm this for me by forwarding the e-mail notification, I’ll definitely give you a big thank you on the blog.
Yes, yes I know Convio screwed up the technical side of this issue, but nonprofits are only compounding the problem with their lack of disclosure. Users shouldn’t have to resort to a blog to find out if they’ve been affected. To put it mildly, the tactic is not constituent-friendly. In the article, Beth said, “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.” I totally agree with her. Just think of disclosure as a long-term investment between your nonprofit and the general public. Apparently, United Animal Nations lost 2% of their online subscriber base but that’s to be expected in any kind of security breach. A nonprofit is certainly not going to regain constituent trust by not mentioning the problem on their site. It’s the Internet folks, and this kind of information can’t be sequestered like your crazy uncle in the attic.
Nonprofits seem to be unwilling or unable to ask for disclosure by their nonprofit vendors about details regarding security. “Don’t ask, don’t tell” doesn’t work in the US Army, why should this be a nonprofit’s stance when trying to guarantee privacy for their constituents? I think that from now on every vendor who works with nonprofit data should at least abide by standards regarding password encryption (one-way hashes only) and should not allow bulk downloads of unencrypted passwords for any reason. Also, every vendor should be prepared to submit an accurate snapshot of their secured network perimeter. And nonprofit IT directors should demand a service level agreement (SLA) in order to give their nonprofit a legal basis for dropping out of a contract if conditions for service and security aren’t met. If nonprofits refuse to ask for even these basic measures, frankly, they should not be accepting online donations through any online vendor. Believe me, if enough nonprofits started pushing in this manner, the industry would just simply accept it as a standard way of doing business.