Convio attack thwarted but 92 clients affected
Technorati Tag: Security Breach
Date Reported:
11/06/07
Organization:
Convio
Contractor/Consultant/Branch:
Unknown
Victims:
Clients of Convio using their GetActive platform
Number Affected:
92 Clients*
*Additional victims may include donors and/or customers of one or more of the 92 clients. For instance, a UConn Foundation spokesman claims 89,000 of their donors were involved.
Types of Data:
Name, address, email address, and Convio/GetActive password.
Breach Description:
On November 1st, Convio detected unauthorized activity on some of their systems that appeared to have started sometime after October 23rd, 2007. An intruder gained access to some of Convio's systems and obtained the login and password of a Convio employee. The breach resulted in the compromise of email addresses and in some cases passwords of up to 92 Convio clients on the GetActive platform.
Reference URL:
Convio Online Security Announcement
The NonProfit Times Story
Information Security Magazine Story
eWeek Story
The Journal Enquirer News Story
Report Credit:
Convio
Response:
From the official Convio online announcement and various sources cited above:
Convio has identified a security attack against our GetActive platform, which many nonprofits, associations and higher education institutions use to send email to volunteers, donors, members and other constituents.
Nearly 100 clients of nonprofit software provider Convio had their data breached after an unauthorized third party was able to access email addresses and in some cases passwords.
[Comfyllama] Were the passwords stored encrypted? It is good security practice to encrypt ALL confidential data at rest. Passwords would definitely be classified as confidential by most securty professionals.
If you have been made aware of this by one of the nonprofit organizations the company serves, it is possible that your email address and the password you use for managing your email subscriptions with that organization were obtained by an unauthorized third-party.
Only clients on the GetActive platform were affected
Downloads were made against another 62 clients but were not executed and did not result in data loss
"It was a very sophisticated attack. It took us longer than we would have liked to recognize," said Convio CEO Gene Austin.
[Comfyllama] An honest CEO speaking intelligently about information security. Good!
"Some of the tasks the intruder performed were routine, as if it was an administrator on the system", said Convio CEO Gene Austin.
The intruder attempted to harm a donation page for a site "and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them," Austin said. The intruder began the attack by being routine, and now "we’re watching those standard routines much, much more closely," he said."
Convio alerted those clients most affected by the breach, as well as others using the GetActive and Convio platforms. An intruder obtained the login and password of a Convio employee, but no personally identifiable information, such as financial or credit card data was accessed.
[Comfyllama] Because they don't store it! YAY! Read on.
"We immediately spent that night (Nov. 1), and most of the second, understanding the issues as well as eliminating any access points for further intrusion," Austin said, and the rest of the weekend notifying clients. Each of the communications gave organizations tips on how to communicate and work with their constituents, including recommendations on changing their password and an 800-number to handle future questions.
"We’re starting to getting pieces of information this week, but we will not have a full picture for two or three weeks. We’ve installed additional monitoring, and doing a number of things to over-tighten the environment. The root cause will not be known until later this month,"
"The most important thing for us now is to focus on clients and make sure they are on their feet as soon as possible," Austin said. "Certainly we understand they trust us to manage this data. That trust has taken a little hit, and it’s important to regain and rebuild it."
[Comfyllama] More honesty and reality. Judging only from his remarks, Mr. Austin seems like a very good CEO for an information security professional to work for.
"The attack was carried out by an outside party who temporarily gained limited access to our systems,"
"As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft."
A spokesperson for Convio told eWEEK that Convio doesn't store credit cards, although the legacy GetActive application does to some extent.
[Comfyllama] Great news.
Convio has created a query within its dashboard that can be used to identify which members of an organization's list might be affected.
About 89,000 other people had only their e-mail addresses accessed without authorization, UConn Foundation spokesman John Sponauer said.
[Comfyllama] The 92 client victims also have victims.
"There are some important steps you can take to prevent misuse of this information:
"We apologize for any inconvenience this may cause. We take your privacy seriously, and we are committed to protecting it."
Commentary:
I always appreciate when the head of a company, in this case CEO Gene Austin, speaks about information security intelligently. Mr. Austin understands that the responsibility of information security ultimately rests with him. CEOs of other companies would do well to understand this fact. The demonstation of adequate information security control is part of a CEOs responsibility of "due care".
After reading about this breach, I feel pretty confident that Convio knows what they are doing. They are obviously monitoring their systems regularly for unusual activity and following some security best practices. I was especially pleased to read that they do not store personally identifiable information on this breached system and thrilled to read that they don't store credit card data at all (minus legacy apps). I like the incident response too.
For good reason Convio will not disclose the 92 clients publicly, but we can gather some from other resources. We know that The NonProfit Times, CARE, Working Assets, Free Press, the American Museum of Natural History, and the UConn Foundation were victims.
Convio has roughly 1,300 clients and acquired GetActive earlier this year. Convio is also going public soon with an IPO.
Past Breaches:
Unknown
Date Reported:11/06/07
Organization:
Convio
Contractor/Consultant/Branch:
Unknown
Victims:
Clients of Convio using their GetActive platform
Number Affected:
92 Clients*
*Additional victims may include donors and/or customers of one or more of the 92 clients. For instance, a UConn Foundation spokesman claims 89,000 of their donors were involved.
Types of Data:
Name, address, email address, and Convio/GetActive password.
Breach Description:
On November 1st, Convio detected unauthorized activity on some of their systems that appeared to have started sometime after October 23rd, 2007. An intruder gained access to some of Convio's systems and obtained the login and password of a Convio employee. The breach resulted in the compromise of email addresses and in some cases passwords of up to 92 Convio clients on the GetActive platform.
Reference URL:
Convio Online Security Announcement
The NonProfit Times Story
Information Security Magazine Story
eWeek Story
The Journal Enquirer News Story
Report Credit:
Convio
Response:
From the official Convio online announcement and various sources cited above:
Convio has identified a security attack against our GetActive platform, which many nonprofits, associations and higher education institutions use to send email to volunteers, donors, members and other constituents.
Nearly 100 clients of nonprofit software provider Convio had their data breached after an unauthorized third party was able to access email addresses and in some cases passwords.
[Comfyllama] Were the passwords stored encrypted? It is good security practice to encrypt ALL confidential data at rest. Passwords would definitely be classified as confidential by most securty professionals.
If you have been made aware of this by one of the nonprofit organizations the company serves, it is possible that your email address and the password you use for managing your email subscriptions with that organization were obtained by an unauthorized third-party.
Only clients on the GetActive platform were affected
Downloads were made against another 62 clients but were not executed and did not result in data loss
"It was a very sophisticated attack. It took us longer than we would have liked to recognize," said Convio CEO Gene Austin.
[Comfyllama] An honest CEO speaking intelligently about information security. Good!
"Some of the tasks the intruder performed were routine, as if it was an administrator on the system", said Convio CEO Gene Austin.
The intruder attempted to harm a donation page for a site "and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them," Austin said. The intruder began the attack by being routine, and now "we’re watching those standard routines much, much more closely," he said."
Convio alerted those clients most affected by the breach, as well as others using the GetActive and Convio platforms. An intruder obtained the login and password of a Convio employee, but no personally identifiable information, such as financial or credit card data was accessed.
[Comfyllama] Because they don't store it! YAY! Read on.
"We immediately spent that night (Nov. 1), and most of the second, understanding the issues as well as eliminating any access points for further intrusion," Austin said, and the rest of the weekend notifying clients. Each of the communications gave organizations tips on how to communicate and work with their constituents, including recommendations on changing their password and an 800-number to handle future questions.
"We’re starting to getting pieces of information this week, but we will not have a full picture for two or three weeks. We’ve installed additional monitoring, and doing a number of things to over-tighten the environment. The root cause will not be known until later this month,"
"The most important thing for us now is to focus on clients and make sure they are on their feet as soon as possible," Austin said. "Certainly we understand they trust us to manage this data. That trust has taken a little hit, and it’s important to regain and rebuild it."
[Comfyllama] More honesty and reality. Judging only from his remarks, Mr. Austin seems like a very good CEO for an information security professional to work for.
"The attack was carried out by an outside party who temporarily gained limited access to our systems,"
"As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft."
A spokesperson for Convio told eWEEK that Convio doesn't store credit cards, although the legacy GetActive application does to some extent.
[Comfyllama] Great news.
Convio has created a query within its dashboard that can be used to identify which members of an organization's list might be affected.
About 89,000 other people had only their e-mail addresses accessed without authorization, UConn Foundation spokesman John Sponauer said.
[Comfyllama] The 92 client victims also have victims.
"There are some important steps you can take to prevent misuse of this information:
- If you use the same email address and the same password for any other online service, such as your bank or PayPal, places where you shop online (like Amazon), or online email accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible.
- If you are not sure whether you used the same password at other services, change your passwords to be on the safe side.
- If you do not re-use the same password with other online services, you do not need to take any further action, and are following good Internet security practices.
- We also recommend that you be on the alert regarding email that appears to be from a brand-name organization and urges you to visit a Web site to provide personal or financial information"
"We apologize for any inconvenience this may cause. We take your privacy seriously, and we are committed to protecting it."
Commentary:
I always appreciate when the head of a company, in this case CEO Gene Austin, speaks about information security intelligently. Mr. Austin understands that the responsibility of information security ultimately rests with him. CEOs of other companies would do well to understand this fact. The demonstation of adequate information security control is part of a CEOs responsibility of "due care".
After reading about this breach, I feel pretty confident that Convio knows what they are doing. They are obviously monitoring their systems regularly for unusual activity and following some security best practices. I was especially pleased to read that they do not store personally identifiable information on this breached system and thrilled to read that they don't store credit card data at all (minus legacy apps). I like the incident response too.
For good reason Convio will not disclose the 92 clients publicly, but we can gather some from other resources. We know that The NonProfit Times, CARE, Working Assets, Free Press, the American Museum of Natural History, and the UConn Foundation were victims.
Convio has roughly 1,300 clients and acquired GetActive earlier this year. Convio is also going public soon with an IPO.
Past Breaches:
Unknown
Posts Atom 1.0
It looks like The American Red Cross was also one of Convio's clients affected by this breach:
AUSTIN (AP) -- A marketing software company serving nonprofits across the
country including The American Red Cross said Tuesday that a hacker stole
e-mail addresses and password information from its clients' databases.
Tad Druart, a spokesman for Austin-based Convio Inc., said the company
has notified federal authorities of a data breach between Oct. 23 and Nov.
1. The hacker used an employee's password to get at the data, Druart said.
No Social Security numbers or bank account information was stolen, Druart
said. He said the company immediately notified the 92 companies affected,
though he would not name them, and it wasn't known how much information
was compromised.
Reply to this