Paige Roberts is the Executive Director of the Southeast Mississippi Chapter of the Red Cross (and a former television reporter). She, like Everson, is married with two children, so I’m sure they had lots to talk about after they finished bumping uglies other than the fact that her house was destroyed by Katrina (and that the Red Cross was destroying her marriage). Let’s hope they also talked about what to do if she got knocked up, because two senior officials at the national Red Cross told the NY Times that she’s carrying his child. Like, seriously? How open about your sex life at the office do you have to be for your underlings to know your mistress is preggers?
Friday, November 30
Veto F. Roley at the Mississippi Press is breaking the story that Southeast Mississippi Chapter Executive Director Paige Roberts matches the clues given earlier this week by multiple news reports as to the identity of the woman who had an affair with the former leader of the Red Cross.
Multiple attempts Thursday by The Mississippi Press to reach Roberts were unsuccessful. "You will have to ask her about it," Roberts' husband, Gary Roberts, said when contacted Thursday. He is a municipal judge in Gautier.You can read the entire story here.
A call to Paige Roberts' cellular phone was returned by Kiki McLean, who identified herself as a friend. She referred questions to the American Red Cross national office.
Paige Roberts was in Washington, D.C., on Thursday to attend a previously scheduled national Red Cross conference. The story goes on to say:
According to the New York Post, which quoted unidentified Red Cross executives, the woman involved with Everson lives in Mississippi, is brunette, lost her home during Hurricane Katrina, is married with two children and is a former television reporter.According to Foley's report, Barbara Dumas, chairwoman of the Southeast Mississippi Red Cross chapter, said Thursday that Roberts is still employed.
According to a 2006 profile in The Mississippi Press, Paige Roberts was a reporter at WLOX-TV 13 from 1993 to 1996 and has two children. She is also brunette. The Robertses' home was completely destroyed in Katrina.
And if the scandal involves a high ranking official from one the biggest charities in the country who is forced to resign over an affair with a subordinate... that's going to grab a lot people's attention.
This blog experienced one of the biggest spikes ever from individual Google searches on Thursday. Visitor numbers spiked after rumors swirled that the affair resulted in a pregnancy involving a former TV reporter who is working with a Mississippi chapter of the Red Cross.
All day long, I saw visitors coming to the site for the first time after typing in search terms, such as: "Everson affair pregnant scandal Red Cross," or "Red Cross affair made her pregnant" or "Everson resigns pregnancy affair."
It seems clear to me those spikes came from people who were hunting to find the identity of the unnamed woman in the affair. The Nonprofit Times knows the woman's identity, but chose not to publish it for editorial reasons.
...sources inside the organization told The NonProfit Times that the relationship was not a well-kept secret. In fact, according to a staff member with direct knowledge of the situation, Everson’s inner circle had unofficially warned him he was in dangerous territory with the relationship.One contact of mine at a well known philanthropy paper told me:
"I'm actually not sure how we would handle the publishing of her name if we did have it -- though I think it's telling that the NY Post actually chose not to publish it."So - I'm torn between conflicting feeling about whether or not publishing the identity of others involved in the story should be made public. I understand that some private issues should play out in private... and I certainly understand that many co-workers (even subordinates) find themselves in office relationships.
My intern finally tracked down the woman's identity and her picture, but I am not convinced publishing it is the best option. So what do you think?
Should we put it to a vote? Do you think bloggers who have the woman's name, identity, or picture of the poorly kept secret should keep it secret or make the name public?
Maybe we should use our Don't Tell The Donor official poll on the right hand side to cast your vote on what you would like to see happen.
Thursday, November 29
Several media reports are beginning to shed a little more light on the affair that led to the Red Cross firing their leader on Tuesday. The New York Times tells it this way:
A senior executive at the Red Cross who had been hired by Mr. Everson told board members about Mr. Everson’s relationship — with a married woman who is head of a Red Cross chapter on the Gulf Coast. Mr. Everson met the woman on trips that were part of efforts to restore the Red Cross’s reputation there. She is pregnant, two Red Cross executives said.The New York Post describes the woman as a sultry Southern belle:
The glamorous brunette, a former TV reporter, is an official with a Mississippi chapter of the Red Cross - a position that put her on the front lines responding to the Hurricane Katrina disaster that leveled her own home.Neither paper published the woman's name.
Wednesday, November 28
It's hard to get a lot of respect as an anonymous blogger. I understand that. Why would you trust someone who writes a blog without the accountability of their own personal reputation? That's one of the reasons, I got myself an intern to kick around.
But, come on. That doesn't mean you can simply ignore anonymous blogs altogether and wait for the mainstream media to deliver the news you need.
The security breach at Convio is a perfect case in point. Those of you that read this blog regularly knew back on November 4th that Convio had confirmed the fact that hackers stole password information. During the days that followed, I published no less than 13 entries, I kept in contact with the folks at Convio to ask questions and get official comments, I even posted a detailed analysis on what 6 groups did to notify their members.
I'm not trying to toot my own horn. However, I am shocked by the amount of email I received today from folks who only read about the security breach yesterday in the New York Times. One email was even titled, "BREAKING NEWS" and begged me to notify readers immediately?
Seriously? If anything bad happened, the risk was four weeks ago when the breach occurred.
This isn't news. I'm not sure why the New York Times waited so long to publish their story... Stephanie Strom had to have known this was old news. So, either the timing of the publication is weird or the New York Times just proves once again how blogs have changed the speed of the information world.
Stephanie Strom at the New York Times adds more to the Red Cross story. She reports that Suzy C. DeFrancis, chief public affairs officer for the Red Cross, was told that there had been no threat of a lawsuit. The article also writes:
Since he joined the Red Cross at the end of May, Mr. Everson had traveled around the country, visiting chapters and blood services operations and courting donors. He set ambitious fund-raising targets and, in a conversation about eight weeks ago, said he was concerned about declining donations.There is also a quote from Trent Stamp at Charity Navigator who said, “This will affect fund-raising, organizational morale and public trust in this organization, which is already dangerously low."
My new intern thought it was cute that the New York Post used the headline, "Saucy Red Cross Boss Tossed."
I responded by telling him that he should forget about taking a lunch break today. We have a busy day ahead of us so I went ahead and chained his leg to the desk so that he wouldn't be distracted. I told him if he finds any good angles to the Red Cross story, I will throw him some scraps when I get back from my lunch break.
For me, the most interesting part of the Red Cross story was the irony that Everson's wife is powerhouse lawyer Nanette Rupka Everson - once the chief ethics counsel for the Bush White House. The NY Post points out, "in that high-profile post, she vetted the kind of conduct issues that cost her husband his latest job."
It has also come to my attention to the board learned of Everson's affair from "a senior executive" and he was presented with the "evidence" in front of the full Board.
Tuesday, November 27
Late this afternoon, the Red Cross Board of Governors announced on their website that President and CEO Mark W. Everson would be stepping down because of a 'personal relationship.'
It's only been a couple hours and already Google is showing 288 news stories.
Lucky for you, I finally got an intern at Don't Tell The Donor to boss around. I ordered him to read every single story. He rolled his eyes and refused... but at least he gave me this:
CNN points out in their coverage that Everson is 53 years old, was paid $500,000-per-year, and perhaps most interesting:
The organization became aware of Everson's relationship with a female Red Cross employee 10 days ago, Chief Public Affairs Officer Suzy C. DeFrancis told CNN in a telephone interview.Bloomberg describes Everson's previous professional experience as commissioner of the IRS and they reveal personal details about his family:
The former executive is married to Nanette Everson, a former White House lawyer under President George W. Bush who later served as general counsel of the Commodity Futures Trading Commission until last March. They have two children.And the Nonprofit Times adds some details about emergency conference calls between the executive board and the full board. They also share some rumors of favored replacements:
The rumors of his replacement are already humming. One name is that of Frances Fragos Townsend, who recently stepped down as an advisor at the federal Department of Homeland Security and who was talked about as a possible CEO before Everson.I'll post more coverage as soon my surprising lazy intern gets through some more articles. Email me if you have any tips about this story or if you have any suggestions on how I can intimidate my intern into working harder and faster.
This story is just hitting the wires:
The American Red Cross announced today that its Board of Governors asked for and received the resignation of President and CEO Mark W. Everson, effective immediately. Concurrently, the Board appointed Mary S. Elcano, General Counsel, as interim President and CEO.The married father of two was hired to improve the image of the Red Cross after criticism of how the charity responded to complains over their handling of the Katrina response. If you want to read his statement, go here.
The Board acted quickly after learning that Mr. Everson engaged in a personal relationship with a subordinate employee. It concluded that the situation reflected poor judgment on Mr. Everson's part and diminished his ability to lead the organization in the future. He joined the American Red Cross as President and CEO on May 29, 2007.
Bonnie McElveen-Hunter, Chairman of the Board of the American Red Cross, said: "Although this is difficult and disappointing news for the Red Cross community, the organization remains strong and the life-saving mission and work of the American Red Cross will go forward. Mary Elcano, who has ably served as our General Counsel for the past five years, will continue to provide leadership, stability and continuity until a successor is chosen."
Sunday, November 25
After months of trying to ignore Ron Paul, the grassroots fundraising strength of Paul's campaign to be the Republicans' nomination for President, have finally attracted enough attention to shift the level of attacks.
Recently, some conservative activist criticized Paul for accepting a donation from a Nevada brothel owner.
Ok, hang on a minute, this story was already funny enough but then Tucker Carlson shows up a bunch of hookers in tow, thinking this would be a good image for the campaign!
Lew Rockwell, former congressional chief of staff to Ron Paul. He runs a blog called the LRC Blog where he posted these reactions to the recent criticism on November 25 at 9:04 AM.
Well, No, it means that many diverse Americans think that perpetual war, a police state, income taxes, and the suppression of free speech and voluntary commerce are bad ideas.
When Christian Rightists demand that Ron return the money, and accuse him of approving prostitution if he doesn't, will we see the silliness of the haters?
Friday, November 23
Ryerson University in Toronto is celebrating the opening of a new lecture theatre named for clothier Harry Rosen, but Sears Canada isn't too happy about the name of the building.
The Toronto Star reports:
The department store giant is claiming that instead of getting the promised top billing on a building on the downtown campus in exchange for $10 million in donations, it's left with a lousy little plaque in the George Vari Engineering and Computing Centre, named for a guy who forked over half that much.Sears Canada Inc. is calling for a court order that Ryerson put its name on a building or, failing that, pay an unspecified amount in damages for breaching the contract.
Thursday, November 22
A reader just forwarded me this email (dated Nov. 20th) from TechSoup, one of the leading edge techie types advising the nonprofit world. Why did it take them so long to notify subscribers?
TechSoup By the Cup - November 20, 2007
The Newsletter from TechSoup.org
"Technology served the way nonprofits need it."
CONVIO SUBSCRIBER ALERT:
Convio/GetActive - the service TechSoup uses to manage and distribute By the Cup - is warning subscribers to exercise caution after hackers broke into its systems and stole email addresses and passwords from 92 nonprofit clients.
While the vast majority of TechSoup email newsletter subscribers were unaffected, 3,000 TechSoup subscribers may have had the usernames and passwords they used to manage their email subscriptions stolen.
There is potential for misuse of this information should you use the same email address and password on other personal accounts (e.g, banking, PayPal,Amazon, Web-based email sites, etc.) Convio would like to advise you of important steps that you should take to prevent misuse of your personal information:
* If this email address and password are used together on any other accounts, it is recommended you change your password on those accounts immediately.
The email goes on to warn subscribers to be wary of emails asking for information. They also reassure folks that their privacy is taken seriously.
Yikes. Are they serious when they use words like "immediately" even though they waited almost three weeks to send out this notice? Maybe they should use warn us about the potential problems associated with Y2K?
Tuesday, November 20
I used to work at a small social service nonprofit that accepted in-kind donations of clothes and food for our case workers to give to their clients. As a development officer, I would frequently get phone calls from a board member who would say something like this:
"Mrs. Smith is on her way over with a car load full of donations. She is a very wealthy real estate agent that the fundraising committee has been trying to cultivate for a long time. Can you meet her downstairs and thank her for the donations when she gets there?"Believe it or not, I wasn't as cynical as I am today that early in my career, so I would cheerily accept countless bags of crap from rich people who felt guilty about throwing their "gently worn" clothes in the trash.
I honestly didn't mind the senselessness of me spending hours accepting donations, sorting them, and then writing tax deductible thank you letters... only to later throw most of it in the trash myself. Heck, I believed in that organization so much, I would eat maggots if it meant bringing on a new potential major donor.
What did bother me so much was the fact that many of these donors who unloaded their "gently worn" junk walked away with a sense of gratification that their charitable obligation had been made... and therefore never gave a financial donation.
I had this video clip of Kevin Bacon from the movie Animal House in mind when I read this opinion piece by Mark Winne, the former director of Connecticut's Hartford Food System. Winne describes his frustration at the troubling co-dependency between food bank donors and recipients.
Both parties were trapped in an ever-expanding web of immediate gratification that offered the recipients no long-term hope of eventually achieving independence and self-reliance.He goes on to make this conclusion:
While none of this is inherently wrong, it does distract the public and policymakers from the task of harnessing the political will needed to end hunger in the United States.I recommend the article. I'd like to thank one of my favorite readers for passing it on - at this time of year I'm thankful that I have so many great readers in all corners of the nonprofit fundraising industry.
The risk is that the multibillion-dollar system of food banking has become such a pervasive force in the anti-hunger world, and so tied to its donors and its volunteers, that it cannot step back and ask if this is the best way to end hunger, food insecurity and their root cause, poverty.
I can't help but think how many other small nonprofits around the country continue to accept in-kind donations they can't possibly use simply because they don't want to tell prospective donors "no" - and by doing so - may actually be prolonging an end to the societal problem they are hoping to cure.
Monday, November 19
The BBC has an annual fundraising drive called Children in Need.
Last year, they raised £18.3m - with the sum reaching £33m after donations from all fund-raising was collected - and was seen by 8.9 million people at its peak.
It appears that this year is going to break all previous records... with £19m coming in during the 7 hour telethon which featured a performance by the Spice Girls. Organizers estimate the 36,000 donations were made online and 15,000 donations were made using digital TV service... and more than 212,000 phone calls were placed to operators.
Go here to listen to an interview exploring the technical requirements to handle 212,000 donation phone calls in one night.
Sunday, November 18
I had this movie clip running through my mind when I came across Marsha Gittleman and James R. Rennert's opinion piece on the website of a Long Island, NY newspaper. Gittleman is director of development and public relations at United Cerebral Palsy of Suffolk and Rennert is province director of development at the Cenacle Sisters.
The two of them criticize the inefficiencies of special event fundraisers. They scold honorees who lend their names for fundraising without ever learning about the nonprofit honoring them or the cause. The authors even shame donors who ask, "what's in it for me?" or who attend fundraisers only because of the social status it brings them.
The directors of development come to the conclusion that if we all really care about the biggest percentage of each gift going to the cause, fundraisers should declare a hiatus in special events and return to personal face-to-face solicitations.
On Long Island for too long, organizations have had a misplaced comfort level in selling tickets to an event rather than promoting a cause.The real target of this opinion piece does not appear to be the event planners, caterers, and silent auction promotion companies... rather the real target of this piece seems to be fellow development directors who have forgotten how to solicit donations based on the mission of their nonprofit without selling donors a ticket to a gala or an event.
Saturday, November 17
On Thursday, three researchers from the Ohio State University presented the conclusions of an interesting study at the annual meeting of the National Communication Association.
They tested an idea by showing newspaper articles about a mayoral campaign to 239 adults. Embedded in those news stories were references to the fund-raising prowess of the candidates. Later the participants in the study rated the candidates on several traits, including leadership, honesty, intelligence, and competency.
The liberal candidate who raised the most money was perceived as lower in integrity. However, there was no similar drop for conservative candidates who raised a lot of money. The conservative candidate best at raising money was more likely to be considered "competent" - particularly by conservative voters.
Why the difference? For conservative candidates, successful fund-raising "may signify a great individual achievement, leadership, and loyalty among his supporters," the researchers noted. . . . Similarly, he is perceived as being more competent when he has more money, perhaps because he has done what it takes to win without violating . . . his ideological principles."Do you think the same shifts in opinion occur when liberal nonprofit groups publicize their fundraising results?
"The liberal candidate, however, does not fair so well in the court of public opinion by raising more money," they added. "Across the board, respondents felt the liberal had less integrity when he had more money."
Thursday, November 15
This blog covered the news of Convio's recent security breach closely. We noted that despite Convio's best efforts to notify all 92 nonprofits impacted by the hacker - it seems only a handful of nonprofits made the news public.
Today I came across three stories of the breach that told the story - all with a slightly different tone:
Roger Craver at The Agitator applauded Gene Austin, Convio's CEO for prompt and open recognition and acknowledgement of problems - saying that it was a critically important part of the process of building trust. Roger even thought Austin "deserved a raise."
Compare that to Allan Benamer over at the Non-Profit Tech Blog who was not so gracious in giving Convio a "C-".
Convio gets that “C-” for the late disclosure and for not doing due diligence properly on their GetActive acquisition. However, Dave Crooke did a decent job of answering technical questions regarding the breach despite the fact that he did it on an e-mail list when he should have done it on the Convio site itself. However, Tad Druart, Convio’s Director of Corporate Communications, did a good thing by not only alerting the press but also the blogosphere. It was a calculated decision to be sure, but Tad probably tamped down on the level of blogging cattiness by the likes of yours truly and others.I have to think Allen is referring to me as one of the others who might have been catty if Tad had not reached out to me to answer questions and offer official statements.
Finally, I thought it was interesting how the brief story on page 32 of the November 15th Chronicle of Philanthropy gave Gene Austin an opportunity to give the money quote... blaming the problem solely on the ghost of GetActive.
Despite the fact that roughly half of Convio's 1300 clients use the GetActive software, Austin told the Chronicle that he thinks the attackers may have focused on GetActive because, in the past, "Convio has put more investment in security than GetActive."
In May of this year, the Wall Street Journal published a story about how food banks across the country have experienced a drop in food donations - by more than 15 or 20% in some cases.I read more this morning about how this pinch is hurting big cities like Chicago:
Food retailers and manufacturers, in other words, are becoming more efficient—wasting less food, mislabeling less often and instituting fewer marketing campaigns—resulting in less food donated to the depository.
The federal government, in the midst of a legislative roadblock regarding the 2007 Farm Bill, is providing less food for the depository. In 2005 the government provided 34 percent of the depositories’ food supply—16 million pounds. However in 2006 the government decreased its donation to 10 million pounds.
Tuesday, November 13
An anonymous donor gave $100,000,000 to the Erie Community Foundation which is to be split between 46 local charities.
Each of the charities will get about $1 million to $2 million. The recipients include a food bank, a women's center, a group for the blind and three universities.The city — and the entire county of 280,000 — could clearly use the money. There is a poverty rate of 19% in this industrial city on the shores of Lake Erie.
I know of a lot of nonprofits who have used bonds to raise money in recent years. There can be some real advantages for Boards who are looking to raise funds using the tax advantages of bonds... but what happens if those bonds get downgraded?
Aaron Cahall at The Examiner explains the impact such a downgrade had on the Baltimore Aquarium:
Last month, Fitch Ratings downgraded its rating for the aquarium’s approximately $34 million in bonds to “BBB+” from “A+”, citing the attraction’s diminished liquid assets and declining attendance. In early September, Moody’s Investors Service lowered its rating on the bonds from A3 to A2, and both firms held a negative outlook at the lower levels.The institution has $23 million on hand, which is down from previous years... and it needs to find a way to push for new fundraising opportunities.
Contributions and grants totaled $9,532,193, or 23 percent of the aquarium’s $41.7 million budget last year, according to its 2006 annual report. Approximately 50 percent of the aquarium’s revenue comes from admissions, said Molly Foyle, director of media relations for the aquarium, with 30 percent from gift shop and on-site revenues and 20 percent from city, state and private contributions.To be honest, I don't think this is going to be the only group that has their bond ratings lowered over the next few months.
Monday, November 12
The nonprofit group that has helped raise over $200,000 for the Jena 6 legal defense fund is responding to slanderous allegations made by radio personality Michael Baisden.
Since July, 17th, ColorOfChange members have donated $212,039.90 for the legal defense of the Jena 6, six Black boys being unjustly railroaded by the criminal justice system in Jena, Louisiana. ColorOfChange has already sent $210,809.90 to the six legal teams defending these young men.The group even offers a link to see the cancelled checks along with a website to refute each of the allegations.
In an email sent last Thursday to supporters of ColorOfChange.org, the group makes it's own claims about why Baisden would spread these attacks.
So why does Baisden resort to slandering us on the air now, after seeing for himself exactly how funds were managed? He's promoting his own fundraising effort this week and is trying to position himself as the only trustworthy source for fundraising around the Jena 6. He's stated explicitly that he started his fund because he thinks other efforts are untrustworthy. Discrediting us is a great way to promote himself and his fund.I feel ashamed for posting the Denver Post, Chicago Tribune, and YouTube video link in a previous posting without this clarification... and I thank one of my favorite readers for pointing out this response.
Both the Chicago Tribune and the Denver Post ran stories on Sunday asking questions about who is accounting for the money donated to help the Jena 6 with their legal defense fund.
Just weeks after some 20,000 demonstrators protested what they decried as unequal justice aimed at six black teenagers in the Louisiana town of Jena, controversy is growing over the accounting of at least $500,000 donated for the teens' legal defense.To make matters worse, pictures have been circulated on the internet which don't show the defendants in the best light:
Parents of the Jena 6 teens have refused to publicly account for how they are spending up to $250,000 that resides in a bank account they control.
Michael Baisden, a nationally syndicated black radio host who is leading a major fundraising drive on behalf of the Jena 6, has declined to reveal how much he has collected. Attorneys for the first defendant to go to trial, Mychal Bell, say they have yet to receive any money from him.
One photo shows Robert Bailey, one of the Jena 6 defendants, smiling and posing with $100 bills stuffed in his mouth. Another shows defendants Carwin Jones and Bryant Purvis modeling like rap stars on a red carpet at the Black Entertainment Television Hip Hop music awards in Atlanta last month.Someone even posted the photos to this YouTube video:
Alan Bean, the director of Texas-based group Friends of Justice, who was the first civil rights activist to investigate the Jena 6 case, was quoted as saying, "There are definitely questions out there about the money."
Noam Cohen and James Freed have an article in the New York Times Giving section today on the increasing power of fundraising blogs.
They interviewed Roger and Tom at The Agitator, Peter at the Chronicle's Give and Take blog, Holden at GiveWell, Jack at Charity Governance, Phil at Gift Hub, and Trent at Trent Stamp's Take.
Even Don't Tell the Donor got listed on the interactive blogroll.
Sunday, November 11
Stephanie Strom (as always) has a great article in the New York Times today on the efficiencies that can be gained when two charities merge.
The article explores how Accenture helped the Hands On Network and the Points of Light Foundation merge.
Strom also cites examples like Safe Space NYC, the Children’s Village Inc. and Inwood House's creation of "a separate charitable organization to cultivate donors and solicit major gifts."
The Humane Society of the United States' partial mergers with two other animal advocacy groups, the Doris Day Animal League and the Fund for Animals, are also mentioned.
Saturday, November 10
I think most people already assume that major donors and hospital Board members get extensive personal attention or a streamlined process for contacting doctors.
However, it's always juicy when a reporter gets their hands on proof that a state funded hospital operates a dedicated concierge program for VIPs or prospective donors.
The Dallas Morning News obtained a detailed list compiled by UT Southwestern staff members of about 6,400 people, many of them influential, wealthy or politically connected. The medical center used the list to flag powerful people or potential donors to offer them special treatment at the hospital.Dr. John McConnell, executive vice president for health system affairs at the medical center, tries to explain the program with this innocent explanation:
The Special Assistance Office was supposed to "centralize what was already happening," he said. He could not provide figures on how many patients are enrolled in the program. Four full-time employees and one part-time employee work in the office. Its current operating budget is $300,000, which comes from clinical revenue, but not state funds, he said.No wonder UT Southwestern has been able to increase the institution's endowment from $40 million in 1986 to $1.3 billion today.
To see who's on the list of hospital VIPs, go here.
Friday, November 9
Mark Hrywna at the Nonprofit Times has another alarming story:
Salesforce.com is the second software vendor to nonprofits this week to announce a data breach. The firm alerted its clients of phishing attempts and the security breach. The most recent phishing attempts included malware, software that secretly installs viruses or key loggers.I'm not really good with math, but "fewer than 10 percent" still means that there could be up to 3,000 nonprofits out there trying to figure out the impact of the breach, right?
Salesforce.com sent security alerts to customers regarding two recent phishing emails: one titled “FTC” on Oct. 29 and the other “We want to make a order with…” on Nov. 6. The San Francisco-based company refused comment, except for a letter to clients that indicated “a rise in phishing attempts directed at salesforce.com customers over the past few months. The firm has more than 30,000 clients, fewer than 10 percent of which are nonprofits. The firm offers small organizations licenses for up to 10 users at no cost.
Thursday, November 8
Houston police shut down portions of the Gulf Freeway and Memorial Drive as President Bush hurriedly rushed in and out of town for a fundraiser today.
Bush spent about an hour and a half at the River Oaks home of Richard and Nancy Kinder. Who is that, you ask? And why did Bush rush in and out of town so quickly (and quietly)?
Richard Kinder is a director of Kinder Morgan Energy Partners. He had been president of Houston-based Enron until 1996.
According to Lee McGuire at KHOU 11 News, it was the first stop on Bush’s two-city Texas fundraising tour. The fundraisers, in Houston and San Antonio, are expected to raise about $1.3 million for the Texas Republican Party and the campaign of Sen. John Cornyn, who is likely to face democrat Rick Noriega in 2008.
The University of Connecticut Foundation, Inc. apologized in a statement to friends, alumni and donors who were impacted by the breach at Convio. They published the most common inquiries that callers and e-mailers have asked the UConn Foundation since notification of the breach was sent.
UPDATE: I must admit, I've been overwhelmed by the number of emails I've received from folks over the past few days. A couple readers wanted to let me know that the Care2 community was discussing whether EarthJustice was affected. It also seems like The Five Moms Campaign sent out an email to their supporters as well (I know, who the heck are the 5 moms, right?)
Allan Benamer at the Non-Profit Tech Blog has been covering a couple angle's of the Convio security breach that - quite frankly - I don't understand all the technical issues. However, I know enough about security to be stunned by this exchange in Allan's comment field:
Anonymous "activist" wrote:
Convio’s multiple security failures here are elementary-level and simply inexcusable.
First, as mentioned before, there’s the unencrypted passwords issue.
But secondly, from what I’ve been reading about this, the GetActive and Convio network security was laughable. An employee was allowed to work from home, on a non-secure PC, without the latest spyware & malware protections? And this employee was someone with the priveleges to administratively access ALL 150 accounts that were affected or almost affected? Why does one employee need to be able to access 150 accounts? And this is at a company that is supposed to handle millions upon millions of records of data safely and securely?
A basic security audit would have pointed these vulnerabilities out — but I guess Convio didn’t want to bother with that.
I wonder how the potential of millions and millions of dollars of liabilities from this incident will affect Convio’s planned IPO…
Allan responded by saying:
@activist — from what I can tell, the employee might have been phished so spyware and malware would not have helped. I’m more worried by the “download all the passwords” capability. That’s a bit nuts. It was like handing hackers the entire cookie jar. It was not a good kludge and all because they were too unwilling to do an open API. This is a great time to demand an SLA from Convio though. You couldn’t get it before but I’m sure there are lots of demands for SLAs right now coming at Convio.
Yikes. I hadn't read anything about the employee working from home who had access to so many records... and I certainly didn't think that this security breach could be tied to the new API developments that made headlines several weeks ago. Now I'm beginning to think we haven't heard the full story yet.
As always, I know the fact that I run this blog anonymously rubs some people the wrong way, but I continue to invite Convio to use the comments feature on this website if they choose to explain or refute any of this statements... after all, it seems like a better place than the progressive exchange list.
Wednesday, November 7
I was so preoccupied this week I forgot to blog about Ron Paul. The Republican maverick running for President "blew up" the one day fundraising record in celebration of Guy Fawkes day.
The Christian Science Monitor said this:
On Monday, an independent effort by Paul backers raised a stunning $4.2 million for his campaign, nearly all of it online. At the rate Paul is going, he will have a fourth-quarter funding total that rivals or even surpasses the top-tier GOP candidates.The website Editor and Publisher speculated that the media will be forced to pay attention now that Paul's supporters have taken matters into their own hands.
Paul backers tied their Nov. 5 fundraising effort to Guy Fawkes Day – which commemorates the day in 1605 when the British mercenary tried to blow up Parliament and kill the king. Fawkes also provided inspiration for the 1982 graphic novel "V for Vendetta," later a movie. The Paul-Fawkes connection led the Paul campaign to assert that the congressman does not support violence against the government.
The Kane County Chronicle in Illinois ran this piece by Liz Wolgemuth yesterday:
It seems so simple. As the radio jingle says, call 1-877-Kars4kids, and “donate your car today.”Sounds like a win-win, right?
Not only will you get a tax deduction and a voucher for a two-night hotel stay, you also get the satisfaction of knowing that all the proceeds of your donation will help provide food, clothing, education and guidance to children between 6 and 18 years old, as the Kars4Kids Web site says.
Cars donated through Kars4Kids actually go to the Lakewood, N.J.-based nonprofit JOY for Our Youth, which uses the catchier Kars4Kids name in its fundraising efforts.This does sound pretty sneaky, but honestly... in my experience now that the IRS has cracked down on car donations most donors should feel lucky they get a $500 deduction and some group comes and tows their piece of crap car.
And the vast majority of JOY’s program services dollars go to another organization that shares its same New Jersey address and devotes its efforts to orthodox Jewish education.
The confusing chain of charities behind the simple radio ad highlights a problem for many donors who want to better understand where their contribution is going, particularly when it comes to car donations.
Remember though, it it not their fault - but that of Convio who should be doing more to protect the data of it’s customers. A larger percentage of the bigger non-profits use Convio, so the problem could be wider than anticipated. And we could see a temporary increase in spam, and a decrease in overall responses over the next few weeks. (During this important year-end giving season).Do you agree with Jeff that the timing of this breach could hurt year-end giving?
Tuesday, November 6
Mark Hrywna at the Nonprofit Times got some more details from Convio:
“It was a very sophisticated attack. It took us longer than we would have liked to recognize,” said Convio CEO Gene Austin. Some of the tasks the intruder performed were routine, as if it was an administrator on the system, he said.Wow. A smart hacker, huh? But there is more:
The intruder attempted to harm a donation page for a site “and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them,” Austin said. The intruder began the attack by being routine, and now “we’re watching those standard routines much, much more closely,” he said.
“We immediately spent that night (Nov. 1), and most of the second, understanding the issues as well as eliminating any access points for further intrusion,” Austin said, and the rest of the weekend notifying clients. Each of the communications gave organizations tips on how to communicate and work with their constituents, including recommendations on changing their password and an 800-number to handle future questions.To read the full article, go here.
Since the breach did not involve financial or personal information, it might not be a priority for the FBI, but Convio has submitted everything to authorities, as well as launching its own forensic investigation. “We’re starting to getting pieces of information this week, but we will not have a full picture for two or three weeks. We’ve installed additional monitoring, and doing a number of things to over-tighten the environment. The root cause will not be known until later this month,” he said.
“The most important thing for us now is to focus on clients and make sure they are on their feet as soon as possible,” Austin said. “Certainly we understand they trust us to manage this data. That trust has taken a little hit, and it’s important to regain and rebuild it.”
The Non-Profit Tech Blog published more details from Dave Crooke at Convio which was posted to the progressive exchange list:
The intruder obtained a login and password belonging to a Convio(GetActive) employee. It appears that their PC was compromised, but we are still investigating - we have sent that PC’s hard drive to a forensic lab for formal analysis. The operating system level integrity of the GetActive production systems was not affected.So, will we need to wait for the forensic analysis before we learn more?
The intruder logged in and downloaded a number of email addresses and passwords belonging to constituents of GetActive client non-profits.
A reader passed along an email to me this morning from the ACLU of Southern California:
This weekend we learned about a security breach atGetActive/Convio, the company that provides internet servicesfor our online Action Team. Your information has not been affected.That must be an especially hard situation for the privacy folks at the ACLU.
There was no breach of personally-identifiable information orcredit card data, but some email addresses and passwords mayhave been obtained by an unauthorized third party.
Because we take your privacy seriously, we want you to know whatwe are doing to protect it. Even though your information was notaffected, GetActive/Convio suggests the following steps foronline security:
1. Do not reuse the same password for your online services suchas banking or PayPal.
2. Pay careful attention to emails you may receive requestingpersonal and financial information, and only provide it when youcan confidently confirm that it has come from a trustedorganization.
3. Report any suspicious activity immediately to the accountprovider (bank, credit card, etc.) and to credit bureaus.
The National Parks Conservation Association sent out an alert to online members regarding the potential impact of Convio's security breach. They reiterated that no credit card or other personally identifiable information was breached, however:
[It is] possible that the email addresses and passwords used by our online members for managing their NPCA email subscriptions were obtained by an unauthorized third-party as part of this breach. NPCA has taken appropriate counter measures, and has alerted our members accordingly.The group then asks members to call or email them directly with questions.
Monday, November 5
Allan Benamer at the Non-Profit Tech Blog picked up the story of the Convio security breach. He's got interesting discussion going on in the comments section, including comments from Eileen Bayers, VP of customer relations at Working Assets and Tad Bruart, Convio’s Director of Corporate Communications.
It seems like Convio has done their part by getting the information out to clients regarding the security breach. What seems extremely troubling to me is that not all of the organizations seem to have contacted their donors/constituents to notify them of the risk they may face.
Granted - no credit card details were compromised. But, am I the only dummy out here who uses the same password for multiple online sites. If a hacker got my password from a GetActive client that I supported... I would be a prime target for identify theft if that same hacker tried to access my Yahoo! or PayPal account.
That is the next (and scariest) phase of this story.
Convio can only lead their clients by providing draft emails... they can't make the clients actually send the email to their constituents. Should they be more proactive and contact the affected people themselves? Is Convio legally allowed to contact these constituents?
If you lost a set of keys and those keys have your address printed on the keychain, don't you have an obligation to notify the people who you share that house, apartment, or office with? What would you do if that happened to you? Do you keep your mouth closed and hope no one breaks in? And if they do, would you continue to pretend the thief didn't get the key from you?
We regret to inform you that the company we contract with to provide online services, Convio, has identified a breach of one of their internet security systems. There was no breach of personally-identifiable information or credit card data, but your email address and password for managing your Act For Change and Working For Change subscriptions were obtained by an unauthorized third party.It goes on to explain some steps donors should take to protect themselves.
There is potential for misuse of this information should you use the same email address and password on other personal accounts (e.g, banking, PayPal, Amazon, etc.) Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:
Sunday, November 4
I received confirmation from Convio this afternoon that the text below was emailed to 92 GetActive clients who experienced the most severe impact of a recent security attack.
Convio has identified a security attack against our GetActive software systems that has resulted in your constituent data being accessed by an unauthorized third-party. We take this attack very seriously and are committed to working with you to minimize the impact on your organization and your constituents. The third-party sought to download email addresses and, in some instances, member passwords. There was no loss of credit card data. We are confident that this is the extent of the breach:
* Only certain clients on the GetActive software platform were affected. No clients using the Convio software platform were affected.
* Unauthorized downloads of email addresses and member passwords were conducted against 92 GetActive clients, including your organization. Preparations for similar downloads were made against an additional 62 GetActive clients, but were not executed and did not result in data loss.
* The breach occurred between October 23 and November 1, 2007.
* We discovered the breach late in the day on November 1, and worked through the night and all day on Friday to make sure we understood fully the severity and how to help you through the situation.
The attack was carried out by an outside party who temporarily gained limited access to our systems. As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft.
We are notifying you and all other affected clients, as well as those that were not affected so that they understand the situation. We are working over the weekend to provide further information and support and will update you on Monday with the latest information.
What you should do next
We recommend that you notify those constituents with user-created passwords that may have been disclosed. Some of these individuals may use the same email address and the same password with multiple online service providers. Notifying these members will help protect them against compromise of their other online accounts. At the bottom of this message you will find a sample email we have prepared.
Members with user-created passwords are a subset of your full email list. To help your organization communicate with these individual, we have provided a query within your dashboard that can be used to identify this segment of your list. Additional instructions for your GetActive platform administrator are provided below. Please feel free to contact your account manager, who is aware of this situation and will be available to provide support and further updates.
We will provide further guidance about whether we recommend additional notification regarding disclosures that involved only email addresses and any additional updates on Monday. At that time, we will also provide you with a dedicated 800 number and Web page to provide ongoing updates.
CEO, Convio, Inc.
Saturday, November 3
Fresh off his embarrassing fundraising scheme to raffle off a Boston Red Sox ticket to the World Series, Senator Dodd is at it with another unique fundraising strategy:
Connecticut Sen. Chris Dodd, lagging far behind the leading Democratic challengers in the fundraising race, tried a chatty strategy on Thursday in an e-mail with the subject line: "Fw: Re: Update?"Thanks to Nancy Benac for the tip.
The e-mail purports to pass along an e-mail chain that includes messages between two staff members, Tim Tagaris and campaign manager Sheryl Cohen.
First, Cohen asks Tagaris for an update on online fundraising that has been requested by Dodd. Then, Tagaris sends a glowing report to Cohen. Next, Dodd, forwards their e-mail to his "friends," explaining: "I asked my campaign manager for an update on what we accomplished online during the month of October, and I was so pleased with her response that I wanted to make sure you saw the e-mail chain."
Thursday, November 1
From Perez Hilton:
Mario Lopez was scheduled to attend a benefit for victims of domestic violence and their children in his hometown of Chula Vista (San Diego) on Saturday, October 27th.
He was a no-show, PerezHilton.com has learned. And, what’s worse, he gave an awful excuse has a cover-up!
The Saved By The Bell and Dancing With the Stars blamed the local fires and displaced relatives – victims of the fires – as reason for his absence.
However, this week, video surfaced of Lopez dancing the night away at the Playboy Mansion’s Halloween party - the same night he was supposed to be at the benefit.
The 9th annual benefit raises money for children of Casas Seguras, a shelter for domestic violence victims. Lopez had shown much concern about helping children in his hometown.
Apparently he cared more about having a good time at the Playboy Mansion.
So many people were disappointed. He’d been advertised on their promotional materials and everything, which he had signed off on and was aware of.
And to use the fire as his excuse !!! Not very bright considering the press about Hef’s Halloween party is everywhere!
Lucy Bernholz at Philanthropy 2173 questions Newsweek's recent assertion that Facebook is on the cutting edge of changing philanthropy.
To prove her point, she points to some great research over at Care2's frogloop. Unfortunately, the frogloop piece is almost nine months old. Some things have changed since then.
While I agree it is a big challenge for nonprofits to identify themselves as THE OFFICIAL Facebook site, I think most marketers are excited with Facebook because it kicks MySpace butt when it comes to researching who your cause supporters are.
That simple advantage will make it much easier for nonprofits to turn supporters of the cause into a valuable prospect list.
I once had a charity web manager tell me his group had 4,000 friends on MySpace.. which sounded pretty cool at first, but when he admitted he has no way to figure out WHO those people were or how to contact them directly.