Order article reprints, eprints and NXTprints.

	advertisement

November 8, 2007

Nonprofits’ Data Breached Yet Again In Software Attack

By Mark Hrywna
Salesforce.com is the second software vendor to nonprofits this week to announce a data breach. The firm alerted its clients of phishing attempts and the security breach. The most recent phishing attempts included malware, software that secretly installs viruses or key loggers.

Salesforce.com sent security alerts to customers regarding two recent phishing emails: one titled “FTC” on Oct. 29 and the other “We want to make a order with…” on Nov. 6. The San Francisco-based company refused comment, except for a letter to clients that indicated “a rise in phishing attempts directed at salesforce.com customers over the past few months. The firm has more than 30,000 clients, fewer than 10 percent of which are nonprofits. The firm offers small organizations licenses for up to 10 users at no cost.

The announcement came three days after Convio announced it had a security breach with at least 92 clients, as previously reported on www.nptimes.com.

“When we first saw signs of this sudden rise, we conducted a thorough analysis,” according to the salesforce.com announcement. “We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. A phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database,” according to the announcement. Information included first and last names, company names, email addresses, telephone numbers of customers, and related administrative data belonging to salesforce.com.

A small number of customers began receiving bogus emails that looked like salesforce.com invoices, but were not -- they were also phishes.

“Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher. Our support and security teams have been working with the small group of affected customers to enhance their security and with law enforcement authorities and industry experts in an effort to trace what occurred and prevent further attempts.”

The new phishing attempts that included malware prompted salesforce to warn system administrators and send the recent letter, “with the goal of increasing awareness.”

Sometime between Oct. 23 and Nov. 1, at least 92 clients of nonprofit software provider Convio, had data breached after an unauthorized third party was able to access email addresses and in some cases passwords via a third-party data center used by the firm. Only clients on the GetActive platform were affected -- none on Convio’s platform – with unauthorized downloads of email addresses and passwords. The 92 clients is approximately 7 percent of the company’s 1,300 clients, almost half of which use GetActive. Convio acquired GetActive earlier this year.

Downloads were made against another 62 clients but were not executed and did not result in data loss. Email addresses and passwords could be used for phishing scams and if combinations match access information, possibly online service providers like PayPal.

Convio declined to identify the organizations breached. The NonProfit Times uses the system to deploy e-letters but those files were not breached, according to Convio. However, the firm’s media list, of which NPT reporters and editors are a part, was breached

The GetActive platform is housed at a data center in Sacramento, Calif., while the Convio platform is in Austin. It’s common practice for Software as a Service (SaaS) companies to host their servers at data centers they don’t own or operate, said Tad Druart, director of corporate communications for Convio. “Essentially what the data centers provide to us is floor space, power and Internet connectivity. We own or lease all of the equipment that the system runs on. Both of these facilities provide multiple redundant network paths, backup power generators, climate control and ‘round-the-clock security for the equipment.”

Convio CEO Gene Austin described the attack against his firm as “very sophisticated.” Some of the tasks the intruder performed were very routine, as if it was an administrator on the system, he said.

The intruder attempted to harm a donation page for a site “and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them,” Austin said. The intruder began the attack by being routine, and now “we’re watching those standard routines much, much more closely,” he said.

Convio alerted those clients most affected by the breach, as well as others using the GetActive and Convio platforms. An intruder obtained the login and password of a Convio employee, but no personally identifiable information, such as financial or credit card data was accessed.

“We immediately spent that night (Nov. 1), and most of the second, understanding the issues as well as eliminating any access points for further intrusion,” Austin said, and the rest of the weekend notifying clients. Each of the communications gave organizations tips on how to communicate and work with their constituents, including recommendations on changing their password and an 800-number to handle future questions.

Since the breach did not involve financial or personal information, it might not be a priority for the FBI, but Convio has submitted everything to authorities, as well as launching its own forensic investigation. “We’re starting to getting pieces of information this week, but we will not have a full picture for two or three weeks. We’ve installed additional monitoring, and doing a number of things to over-tighten the environment. The root cause will not be known until later this month,” he said.

Convio recommended that clients notify their constituents with user-created passwords that may have been disclosed. In addition, the company recommended clients to be on alert regarding email that “appears to be from a brand-name organization and that encourages you to visit a Web site to provide personal and financial information. Please be assured that we will never ask you to provide such personal information in an email.”

Convio acquired GetActive Software in January for approximately $18 million and filed in August to become a public company. The Initial Public Offering (IPO) is still in its quiet period and under review by the Securities Exchange Commission (SEC). The IPO “is not playing into our decision-making as to how we support our clients,” said Druart. The quiet period will continue until the actual public offering which Austin said could be in the first quarter of the year or sooner, but it depends on a number of factors.

***

This article is from NPT Instant Fundraising, a publication of The NonProfit Times.

Subscribe to The NPT Instant Fundraising eNewsletter or any of our other enewsletters and get the latest news and ideas related to fundraising delivered to your inbox.