November 15, 2007 | Read Time: 1 minute
Ninety-two nonprofit groups that use Convio, a company that helps charities raise money and send advocacy appeals online, had their accounts broken into in late October, the company has announced.
All the attacks involved charities that use GetActive, a software company Convio acquired in January. The attackers also tried, but failed, to gain access to information from 62 additional groups that use GetActive, whose software supports roughly half of Convio’s 1,300 clients.
The attackers downloaded rosters of e-mail addresses that charities collected and, in some cases, passwords for those addresses.
In addition to privacy issues and spam, Convio is worried the thieves could use the passwords to break into other online accounts that use the same e-mail addresses.
The attackers did not gain access to credit-card numbers, financial information, or other data that could be linked to people, beyond the e-mail addresses. Convio officials moved quickly to warn the 92 charities, sending them alerts and guiding them in how to break the news to people whose e-mail addresses were taken.
The reasons for the attack remain unknown, says Gene Austin, chief executive officer of Convio. But he says the attackers may have focused on GetActive because, in the past, “Convio has put more investment in security than GetActive.”
Nevertheless, immediate security upgrades have eliminated the threat of a repeat attack, Mr. Austin says. “We wish it hadn’t happened, but we’re dealing with the information we have and improving ourselves because of it.”
The company is now working with federal authorities to investigate the theft. Mr. Austin says they have leads, although he declined to say more.
For more information: Go to http://www.convio.com/onlinesecurity.
