Convio, NY Times, Security

NY Times finally breaks the story about the Convio security breach

NY Times logo

OK, this isn’t how I pictured the blog showing up in the New York Times, but the whole Convio affair has just been covered by Stephanie Strom of the New York Times. Thanks to Beth Kanter for directing the reporter to me. It turns out the affair might be worse than we thought:

About a week later, the company notified an additional 62 nonprofit groups that similar information about their donors might have been compromised, although there was no evidence that it had been downloaded, Mr. Druart said.

That would bring it to 154 nonprofits that may have been affected. And we’re finally seeing more nonprofits in our list (UPDATE 11/29/2007 10:18 AM: I’m adding some nonprofits that have been mentioned on Don’t Tell the Donor. They are EarthJustice, Five Moms Campaign and University of Connecticut Foundation.)

(UPDATE 11/29/2007 10:24 AM: Earthjustice deserves some additional chiding here for trying to keep their breach under wraps. I tried to deliver a warning to them that hiding this stuff isn’t going to work and sure enough, one of their users lifted the veil on Care2, the largest online community for nonprofit constituents. Good job, Earthjustice. And when you folks advocate for greater transparency on the part of coal mining companies or nuclear plant operators, be aware that that knife can cut both ways.)

An anonymous commenter also adds the SEIU at both the international and local level. If you can confirm this for me by forwarding the e-mail notification, I’ll definitely give you a big thank you on the blog.

Yes, yes I know Convio screwed up the technical side of this issue, but nonprofits are only compounding the problem with their lack of disclosure. Users shouldn’t have to resort to a blog to find out if they’ve been affected. To put it mildly, the tactic is not constituent-friendly. In the article, Beth said, “It’s a matter of donor stewardship, and while it’s not an emergency, you need to treat it as if it was one.” I totally agree with her. Just think of disclosure as a long-term investment between your nonprofit and the general public. Apparently, United Animal Nations lost 2% of their online subscriber base but that’s to be expected in any kind of security breach. A nonprofit is certainly not going to regain constituent trust by not mentioning the problem on their site. It’s the Internet folks, and this kind of information can’t be sequestered like your crazy uncle in the attic.

Nonprofits seem to be unwilling or unable to ask for disclosure by their nonprofit vendors about details regarding security. “Don’t ask, don’t tell” doesn’t work in the US Army, why should this be a nonprofit’s stance when trying to guarantee privacy for their constituents? I think that from now on every vendor who works with nonprofit data should at least abide by standards regarding password encryption (one-way hashes only) and should not allow bulk downloads of unencrypted passwords for any reason. Also, every vendor should be prepared to submit an accurate snapshot of their secured network perimeter. And nonprofit IT directors should demand a service level agreement (SLA) in order to give their nonprofit a legal basis for dropping out of a contract if conditions for service and security aren’t met. If nonprofits refuse to ask for even these basic measures, frankly, they should not be accepting online donations through any online vendor. Believe me, if enough nonprofits started pushing in this manner, the industry would just simply accept it as a standard way of doing business.

How relevant was this post to you?
Why did you post this???I do not think this was necessary.Not bad. I will save for later.I really needed to read this!This bit of knowledge will make me look good. (No Ratings Yet)
Loading ... Loading ...

1 Comment

  • On 02.10.08 Michael Langford said:

    This is old news now, I guess, but I happened across this post in an old RSS archive this morning and thought I should point out that CARE (for whom I work) sent an email to every affected online member within 36 hours of being informed of this breach by Convio. We reset all user passwords as well at around the same time (actually I think it was a day before the email went out). According to Convio, we were among the first of their clients to actually make statements to list members.

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*Required Fields