Sunday, November 4

Convio confirms security attack email

I received confirmation from Convio this afternoon that the text below was emailed to 92 GetActive clients who experienced the most severe impact of a recent security attack.

Convio has identified a security attack against our GetActive software systems that has resulted in your constituent data being accessed by an unauthorized third-party. We take this attack very seriously and are committed to working with you to minimize the impact on your organization and your constituents. The third-party sought to download email addresses and, in some instances, member passwords. There was no loss of credit card data. We are confident that this is the extent of the breach:

* Only certain clients on the GetActive software platform were affected. No clients using the Convio software platform were affected.

* Unauthorized downloads of email addresses and member passwords were conducted against 92 GetActive clients, including your organization. Preparations for similar downloads were made against an additional 62 GetActive clients, but were not executed and did not result in data loss.

* The breach occurred between October 23 and November 1, 2007.

* We discovered the breach late in the day on November 1, and worked through the night and all day on Friday to make sure we understood fully the severity and how to help you through the situation.

The attack was carried out by an outside party who temporarily gained limited access to our systems. As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft.

We are notifying you and all other affected clients, as well as those that were not affected so that they understand the situation. We are working over the weekend to provide further information and support and will update you on Monday with the latest information.

What you should do next
We recommend that you notify those constituents with user-created passwords that may have been disclosed. Some of these individuals may use the same email address and the same password with multiple online service providers. Notifying these members will help protect them against compromise of their other online accounts. At the bottom of this message you will find a sample email we have prepared.

Members with user-created passwords are a subset of your full email list. To help your organization communicate with these individual, we have provided a query within your dashboard that can be used to identify this segment of your list. Additional instructions for your GetActive platform administrator are provided below. Please feel free to contact your account manager, who is aware of this situation and will be available to provide support and further updates.

We will provide further guidance about whether we recommend additional notification regarding disclosures that involved only email addresses and any additional updates on Monday. At that time, we will also provide you with a dedicated 800 number and Web page to provide ongoing updates.


Gene Austin
CEO, Convio, Inc.


Mike H said...

Hey fundraiser,

Can you find out who the 92 clients were that were most affected AND how many donor records were at risk?


Anonymous said...

If I was a hacker, I would try to take the username and passwords from the people on nonprofit sites and see if they used the same passwords for amazon, paypal, ebay, etc.

Even if credit card information was not lost, this could be a very serious security issue

Anonymous said...

omg. i would die if i had to tell my executive director or board of directors that this happened to us :(