Oh well. I’m screwed or rather my old organization is. I doubt they’ll be reading that post but now it’s time to tell them. UPDATE (Thanksgiving 2007): And of course I can’t tell them because they sent out the notice the night before a holiday only adding to the exposure — GAHHHH! I found out from Beth Kanter. She got the e-mail. I didn’t because I don’t have access to my old Techsoup account. Of course, I’m not sure if my old org has it either. I know for a fact their systems aren’t compromised though since I never used administrator account passwords on the Web. Can I say again that e-mail notification is a pretty weak attempt at notification?
Techsoup is actually the first nonprofit I know of besides Working Assets to put the notice up on their site. Too bad it’s weeks too late for it. I find it hard to imagine that a technology organization can be caught in the headlights for that long but apparently so. Shame, Techsoup, shame. All of Techsoup’s users (of which I’m one) were left mighty high and dry.
Hat tip to Beth for the warning.
Loading ...
Wow, you posted this fast .. .I hadn’t ever blogged it yet
http://beth.typepad.com/beths_blog/2007/11/security-update.html
Yeah, it’s called typing at near-freakout speeds. Sigh.
I left a question on the forum about the netsquared list … boy, I hope the instance of credit fraud that just happened to me isn’t due to this … although my bank told me it might had more to do with buying gas with credit card. I guess if we want to stay in the loop on the conversation about this, we should go over to the forum at TechSoup ..
Well this is good news…
“Please note that these passwords are only for the Convio system, meaning that they only control your email newsletter preferences. No passwords relating to your log in at TechSoup or TechSoup Stock were stolen. Also, no financial information was stolen. “
As an employee of TechSoup, I wanted to respond to the discussion of the security breach at Convio because our members’ information was among the data that was illegally accessed.
Just hours after learning from Convio that TechSoup was one of the 92 nonprofits whose information was stolen, we notified affected members rather than waiting until after Thanksgiving. We took the further step of notifying all TechSoup email subscribers and posting messages on our website to let nonprofits know we are working closely with Convio and that we take this incident very seriously.
I appreciate your efforts to help us spread the word about the break-in at Convio and its impact for TechSoup’s members.
Sincerely,
Matthew Palmer
TechSoup
Hey Matt, this is a little late to reply but can you tell us why Techsoup took so long to send out the notification? Convio sent it out in early November. The way I see it, Techsoup took more than two weeks to send that notification to its members. Am I missing something here?
Hi Allan,
Sure, I’d be glad to address that. TechSoup learned from Convio on Monday, November 19th that we were one of their customers affected by the breach. That same day we issued an email to all of our email newsletter subscribers who had passwords on file with Convio alerting them that their email address and password were potentially compromised and recommending they change their passwords on any other sites that use that email address to log in.
TechSoup has also taken additional steps to notify our subscribers including communicating via email with all newsletter subscribers (including those without Convio passwords), sending a reminder email to subscribers with passwords, posting notices and an FAQ on our website, and answer customer questions by phone and email. Convio has helped us answer questions from TechSoup members with their Security Hotline, which has been available since TechSoup first announced the breach.
Sincerely,
Matt