I’m very disappointed with the reaction of nonprofits to the Convio security breach. The main reason I’m disappointed with it is that out of 92 affected organizations, we know of only FOUR that have been affected. These are:
- Working Assets
- freepress.net
- CARE
- American Museum of Natural History
I know of an additional nonprofit that doesn’t want to disclose this as well.
This is a disturbing trend and shows that nonprofits don’t understand the nature of security. You should not follow a “security through obscurity” model. This model has been broken time and again by hackers. Don’t sweep security breaches under the rug. By not disclosing publicly that your site has been breached and relying instead on e-mail to notify your constituents, it shows that you’re more worried about the effect on your organization instead of your constituents. In fact, you expose your constituents to further harm by doing only an e-mail notification. Remember, your constituents may have put your organization’s e-mail in a spam filter or were away on vacation or simply had something go wrong with their e-mail. This is a single point of failure solution — don’t go there.
I recommend that for a baseline policy that nonprofits use the California Office of Privacy Protection Recommended Practices on Notice of Security Breach Involving Personal Information. It’s a long PDF file but the most salient recommendation is the following on how to do the notification.
Means of Notification
Individually notify those affected whenever possible.
- Send the notice by first-class mail.
- As an alternative, notify by e-mail, if you normally communicate with the affected individuals by e-mail and you have received their prior consent to that form of notification.
- If more than 500,000 individuals were affected, the cost of individual notification is more than $250,000, or you do not have adequate contact information on those affected, provide notice using public communication channels.
- Post the notice conspicuously on your Web site, AND
- Notify through major statewide media television, radio, print), AND
- Send the notice by e-mail to any affected party whose e-mail address you have.
If you’re a smaller nonprofit, you should do this anyway even if less than 500,000 individuals were affected or the cost of notification was lower than $250,000. Imagine the heaping of scorn you will be served if an inattentive high net worth donor who doesn’t read her e-mail finds out her accounts were penetrated due to your organization’s insufficient notification efforts.
In that light I have to give Working Assets a “B-” rating on the way they handled this disclosure and Convio a “B”.
Working Assets set up an notification process quickly and notified their users via a Web site and their staff were all over the Web answering questions. Eileen Bayers, Working Assets’ VP of Customer Relations deserves some kudos for that. She was responsive to the comments thread here. That’s a good process. It could have been even better if they had provided a link to the security breach notice and made that conspicuous on the front page. There was also no press release.
UPDATE (11/16/2007): Originally, Convio received a “C-” for the late disclosure and for not doing due diligence properly on their GetActive acquisition. I’m upgrading them to a “B” as I see that they have finally updated their Web site to show in a conspicuous fashion the online security alert. It’s enough to serve as a model for notification of constituents for other nonprofits. Dave Crooke did a decent job of answering technical questions regarding the breach despite the fact that he did it on an e-mail list when he should have done it on the Convio site itself. However, Tad Druart, Convio’s Director of Corporate Communications, did a good thing by not only alerting the press but also the blogosphere. It was a calculated decision to be sure, but Tad probably tamped down on the level of blogging cattiness by the likes of yours truly and others.
The rest of the organizations are so far receiving failing grades — the dreaded “F”. They should at least implement a public notice on their Web site’s home page detailing the breach. All it takes is one constituent getting really hurt by the whole situation and I believe nonprofits will start to be more forthcoming with their security breaches.
Loading ...
I received an email today from the Center for Biological Diversity. Since they have no other means of contacting me, this is appropriate. Here’s an excerpt:
“It is possible that the email address and password you use for managing your email subscription with us was obtained by an unauthorized third party. We recommend you prevent misuse of this information. First, immediately change your password with Convio. You can do that on our actionnetwork.org site here: [link] If you use the same email address and password for other online sites (e.g. Yahoo, Amazon, Pay Pal, etc.), we recommend changing your password for those sites as soon as possible.
Next, please contact the Center by email if you experience a suspicious increase in spam messages or phishing.[Definition provided] If an organization or unfamiliar individual asks you for personal or financial information, do not share your information, and contact us immediately. The Center will never ask you for personal information through your email.”
I’m pretty satisfied with their response.
@Xris,
Well, add another nonprofit to the list. We now know of 5 nonprofits that have been affected by this. I’m still not particularly satisfied with that response from the Center for Biological Diversity. There are no guarantees that other users on their e-mail lists will read or even receive e-mails containing the warning. Consider yourself one of the lucky ones.
Log Cabin Republicans and Michigan Equality were affected and did send an alert to their lists. It’s also important to keep in mind that the breach was of the GetActive platform specifically, not Convio’s platform. I know it’s semantics, but this wasn’t a problem with the Convio product – but with the GetActive product that they acquired.
As a GetActive/Convio client, I can say that Convio’s actions were satisfactory from my perspective. They alerted every one of their clients of the security breach, and not just those clients affected. Their staff was extremely responsive to specific questions (as they always are).
Andrea, what grade would you give Convio? Convio had 11 months to inspect, maintain and then alter GetActive’s systems. They could have removed those flaws before they became such big problems especially the “download decrypted passwords in bulk” feature. The breach itself was reported 8 days after the initial downloads with the intruders already in the process of downloading passwords for even more orgs. There were numerous points where some due diligence was called for but for whatever reason it didn’t happen.
The response could have been better but obviously, I did upgrade Convio to a B only after it took them more than a week to post a notice on their site in a conspicuous manner. The problem with security breaches isn’t that they happen, but that the mix of outright fear and condescension towards one’s users causes organizations to basically do the work of their intruders. People who steal identities don’t want their victims to know their identities have been stolen until it’s too late. And organizations further the cause of identity thieves when they don’t notify their constituents properly. E-mail notification is NOT enough. And that is why many orgs get the “F”. Some orgs were NOT timely and worse, used only e-mail as their basic mode of notification. It’s not surprising that both the orgs you mentioned also did not post an alert on their websites.
Finally, we really can’t have lower standards than the private sector on this issue. We have to have higher ones due to our nonprofit status. We have a public trust to uphold.
A very large number of SEIU locals and the international union can be added to the list.
The National Park Conservation Association is a Convio/GetActive client and we were one of the organizations whose data was breached. NPCA is committed to full disclosure. The very day we learned of the breach we posted a press release to our site and sent our affected supporters an email notification. We also included a notice to affected subscribers in the November issue of our online newsletter Park Lines.
Our release “National Parks Conservation Association Alerts Online Members of Vendor’s Security Breach” is online here: http://www.npca.org/media_center/press_releases/2007/110507_getactivesecurity.html
We value our online supporters and their trust. We take this breach seriously and are continuing to work on this issue.
Felicia Carr
Director of Online Communications
National Parks Conservation Association
Protecting Our Parks for Future Generations
http://www.npca.org
That’s great work, Felicia! That’s an excellent way to handle the notification. I’m wondering if you could change your web site’s front page to keep the link to your press release up there for just a little bit longer as the advisory is no longer available on the front page.
Unfortunately, I can’t give anybody any guidance as to how long the attacks might continue but I’m thinking 60 days from the notification of the original breach might be good enough. I’m sure most of the initial damage has been done by now as we’re basically trying to divine the intent of identity thieves at this point. Who knows if they’ve already given up?
What would be really helpful, Felicia, is if you could tell the story of the breach here or on your site. I think a lot of nonprofits are afraid that if the notification is up on the Web or if a press release is issued that it would only bring more hackers to them or that it would further expose their subscribers to more attacks (despite what I believe to be a misunderstanding of how computer security actually works). They’re also worried that constituents in the future would be unwilling to sign up on their web sites. I’ve heard this contention before but I believe that it’s a remarkably counterintuitive reading of how people react to online security issues. Have you lost users? Do you think you will lose the long-term trust of future subscribers?
Good stuff, Alicia. You’ll be happy to know that your organization was *not* mentioned in a New York Times article yesterday that suggested that perhaps some non-profits (the article named three, but elsewhere in the article) were downplaying the Convio security breach to avoid a drop off in what is usually the busiest time of the year in terms of donations.
Also, Salesforce was hacked recently too. Salesforce made the smart move and followed up on all the phishing attempts that resulted. It posted screenshots of phishing emails too. Perhaps those will be of use to you. Best of luck.
[...] victim in another security breach when Convio was hit in November of last year. At the time, I issued some fairly stern remarks about the weak attempts at user notification in regards to username and password breaches. [...]