Comments on: Suggested guidelines for nonprofit disclosure of security breaches

By: Techsoup Is Hit By SQL Injection Attack | Non-Profit Tech Blog

Techsoup Is Hit By SQL Injection Attack | Non-Profit Tech Blog — Thu, 07 Aug 2008 10:32:44 +0000

[...] victim in another security breach when Convio was hit in November of last year. At the time, I issued some fairly stern remarks about the weak attempts at user notification in regards to username and password breaches. [...]

By: RO

RO — Wed, 28 Nov 2007 23:44:55 +0000

Good stuff, Alicia. You’ll be happy to know that your organization was *not* mentioned in a New York Times article yesterday that suggested that perhaps some non-profits (the article named three, but elsewhere in the article) were downplaying the Convio security breach to avoid a drop off in what is usually the busiest time of the year in terms of donations.

Also, Salesforce was hacked recently too. Salesforce made the smart move and followed up on all the phishing attempts that resulted. It posted screenshots of phishing emails too. Perhaps those will be of use to you. Best of luck.

By: Allan Benamer

Allan Benamer — Tue, 27 Nov 2007 23:16:08 +0000

That’s great work, Felicia! That’s an excellent way to handle the notification. I’m wondering if you could change your web site’s front page to keep the link to your press release up there for just a little bit longer as the advisory is no longer available on the front page.

Unfortunately, I can’t give anybody any guidance as to how long the attacks might continue but I’m thinking 60 days from the notification of the original breach might be good enough. I’m sure most of the initial damage has been done by now as we’re basically trying to divine the intent of identity thieves at this point. Who knows if they’ve already given up?

What would be really helpful, Felicia, is if you could tell the story of the breach here or on your site. I think a lot of nonprofits are afraid that if the notification is up on the Web or if a press release is issued that it would only bring more hackers to them or that it would further expose their subscribers to more attacks (despite what I believe to be a misunderstanding of how computer security actually works). They’re also worried that constituents in the future would be unwilling to sign up on their web sites. I’ve heard this contention before but I believe that it’s a remarkably counterintuitive reading of how people react to online security issues. Have you lost users? Do you think you will lose the long-term trust of future subscribers?

By: Felicia Carr

Felicia Carr — Tue, 27 Nov 2007 21:50:46 +0000

The National Park Conservation Association is a Convio/GetActive client and we were one of the organizations whose data was breached. NPCA is committed to full disclosure. The very day we learned of the breach we posted a press release to our site and sent our affected supporters an email notification. We also included a notice to affected subscribers in the November issue of our online newsletter Park Lines.

Our release “National Parks Conservation Association Alerts Online Members of Vendor’s Security Breach” is online here: http://www.npca.org/media_center/press_releases/2007/110507_getactivesecurity.html

We value our online supporters and their trust. We take this breach seriously and are continuing to work on this issue.

Felicia Carr
Director of Online Communications
National Parks Conservation Association
Protecting Our Parks for Future Generations
http://www.npca.org

By: Anonymous

Anonymous — Tue, 27 Nov 2007 01:20:21 +0000

A very large number of SEIU locals and the international union can be added to the list.

By: Allan Benamer

Allan Benamer — Wed, 21 Nov 2007 09:43:17 +0000

Andrea, what grade would you give Convio? Convio had 11 months to inspect, maintain and then alter GetActive’s systems. They could have removed those flaws before they became such big problems especially the “download decrypted passwords in bulk” feature. The breach itself was reported 8 days after the initial downloads with the intruders already in the process of downloading passwords for even more orgs. There were numerous points where some due diligence was called for but for whatever reason it didn’t happen.

The response could have been better but obviously, I did upgrade Convio to a B only after it took them more than a week to post a notice on their site in a conspicuous manner. The problem with security breaches isn’t that they happen, but that the mix of outright fear and condescension towards one’s users causes organizations to basically do the work of their intruders. People who steal identities don’t want their victims to know their identities have been stolen until it’s too late. And organizations further the cause of identity thieves when they don’t notify their constituents properly. E-mail notification is NOT enough. And that is why many orgs get the “F”. Some orgs were NOT timely and worse, used only e-mail as their basic mode of notification. It’s not surprising that both the orgs you mentioned also did not post an alert on their websites.

Finally, we really can’t have lower standards than the private sector on this issue. We have to have higher ones due to our nonprofit status. We have a public trust to uphold.

By: Andrea Wood

Andrea Wood — Wed, 21 Nov 2007 01:45:39 +0000

Log Cabin Republicans and Michigan Equality were affected and did send an alert to their lists. It’s also important to keep in mind that the breach was of the GetActive platform specifically, not Convio’s platform. I know it’s semantics, but this wasn’t a problem with the Convio product – but with the GetActive product that they acquired.

As a GetActive/Convio client, I can say that Convio’s actions were satisfactory from my perspective. They alerted every one of their clients of the security breach, and not just those clients affected. Their staff was extremely responsive to specific questions (as they always are).

By: Allan Benamer

Allan Benamer — Sun, 18 Nov 2007 16:42:51 +0000

@Xris,

Well, add another nonprofit to the list. We now know of 5 nonprofits that have been affected by this. I’m still not particularly satisfied with that response from the Center for Biological Diversity. There are no guarantees that other users on their e-mail lists will read or even receive e-mails containing the warning. Consider yourself one of the lucky ones.

By: Xris

Xris — Sat, 17 Nov 2007 04:22:35 +0000

I received an email today from the Center for Biological Diversity. Since they have no other means of contacting me, this is appropriate. Here’s an excerpt:

“It is possible that the email address and password you use for managing your email subscription with us was obtained by an unauthorized third party. We recommend you prevent misuse of this information. First, immediately change your password with Convio. You can do that on our actionnetwork.org site here: [link] If you use the same email address and password for other online sites (e.g. Yahoo, Amazon, Pay Pal, etc.), we recommend changing your password for those sites as soon as possible.

Next, please contact the Center by email if you experience a suspicious increase in spam messages or phishing.[Definition provided] If an organization or unfamiliar individual asks you for personal or financial information, do not share your information, and contact us immediately. The Center will never ask you for personal information through your email.”

I’m pretty satisfied with their response.