Navigation
November 6, 2007 92 Convio Clients Hit In Security Breach
Jan 14, 2008

92 Convio Clients Hit In Security Breach
Firm says no financial data was accessed

By Mark Hrywna

Nearly 100 clients of nonprofit software provider Convio had their data breached after an unauthorized third party was able to access email addresses and in some cases passwords.

Only clients on the GetActive platform were affected -- none on Convio’s platform – with unauthorized downloads of email addresses and passwords against 92 clients, about 7 percent of the company’s 1,300 clients, almost half of which use GetActive. Convio acquired GetActive earlier this year.

Downloads were made against another 62 clients but were not executed and did not result in data loss. Email addresses and passwords could be used for phishing scams and if combinations match access information, possibly online service providers like PayPal.

Convio declined to identify the organizations breached. The NonProfit Times uses the system to deploy e-letters but was not breached.

The attack was discovered late in the day on Nov. 1 and occurred sometime after Oct. 23. “It was a very sophisticated attack. It took us longer than we would have liked to recognize,” said Convio CEO Gene Austin. Some of the tasks the intruder performed were routine, as if it was an administrator on the system, he said.

The intruder attempted to harm a donation page for a site “and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them,” Austin said. The intruder began the attack by being routine, and now “we’re watching those standard routines much, much more closely,” he said.

Convio alerted those clients most affected by the breach, as well as others using the GetActive and Convio platforms. An intruder obtained the login and password of a Convio employee, but no personally identifiable information, such as financial or credit card data was accessed.

“We immediately spent that night (Nov. 1), and most of the second, understanding the issues as well as eliminating any access points for further intrusion,” Austin said, and the rest of the weekend notifying clients. Each of the communications gave organizations tips on how to communicate and work with their constituents, including recommendations on changing their password and an 800-number to handle future questions.

Since the breach did not involve financial or personal information, it might not be a priority for the FBI, but Convio has submitted everything to authorities, as well as launching its own forensic investigation. “We’re starting to getting pieces of information this week, but we will not have a full picture for two or three weeks. We’ve installed additional monitoring, and doing a number of things to over-tighten the environment. The root cause will not be known until later this month,” he said.

“The most important thing for us now is to focus on clients and make sure they are on their feet as soon as possible,” Austin said. “Certainly we understand they trust us to manage this data. That trust has taken a little hit, and it’s important to regain and rebuild it.”

Convio recommended that clients notify their constituents with user-created passwords that may have been disclosed. In addition, the company recommended clients to be on alert regarding email that “appears to be from a brand-name organization and that encourages you to visit a Web site to provide personal and financial information. Please be assured that we will never ask you to provide such personal information in an email.”

Convio acquired GetActive Software in January for approximately $17 million and filed in August to become a public company. The Initial Public Offering (IPO) is still in its quiet period and under review by the Securities Exchange Commission (SEC). The IPO “is not playing into our decision making as to how we support our clients,” said Tad Druart, director of corporate communications. The quiet period will continue until the actual public offering which Austin said could be in the first quarter of the year or sooner, but it depends on a number of factors.

Source: The NonProfit Times

http://www.nptimes.com/07Nov/npt-071106-1.html

Other articles on Convio Breach
http://breachblog.com/2007/11/16/convio.aspx

http://www.clickz.com/showPage.html?page=3627723 When a Hacker Strikes an E-mail Service Provider

http://www.eweek.com/c/a/Security/Attackers-Snatch-Member-Data-from-92-Nonprofits/
Attackers Snatch Member Data from 92 Nonprofits

http://breachblog.com/2007/11/16/convio.aspx

http://www.convio.com/site/PageServer?pagename=reg_onlinesecurity

PREVIOUS POSTS
Nov 13.07 | VISA PLANS TO RAISE $10 BILLION IN IPO

read more

Oct 24.07 | Court filing in TJX breach doubles toll

Court filing in TJX breach doubles toll
94 million accounts were affected, banks say
By Ross Kerber, Globe Staff | October 24, 2007 read more

Sep 10.07 | SPIguard Security Solutions Inc. QSA certification with PCI Standards Council, L.L.C.

Its official! SPIguard Security Solutions Inc. is certified with PCI SSC as a QSA!
https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf read more

Jul 19.07 | VISA USA GIVES ACQUIRERS DEADLINE TO SUBMIT PCI PLANS FOR LEVEL 4 MERCHANTS

Merchant acquirers working with Visa USA have until July 31 to submit a summary of
their plans for small-merchant compliance with the Payment Card Industry
data-security standard. read more

Jan 18.07 | SECURITY EXPERT BELIEVES BANKS, NOT MERCHANTS, SHOULD 'OWN UP' TO RESPONSIBILITY TO PROTECT DATA

DATA: The data breach confirmed by TJX Cos. today is "quite serious" and looks to be
organized, suggests Avivah Litan, an analyst at Gartner Group. She believes the
payments industry needs to recognize that it may be more cost effective to change
the payment system than ask 5 million retailers to comply with PCI data-security
standards. read more

Nov 13.06 | FBI SNARES THREE MORE IN CREDIT CARD SALES RING:

The FBI investigation
of an international ring that bought and sold credit card numbers has
expanded in Eastern Europe following the arrest of three Romanians
students who stole 200,000 euros (US$256,897) read more

Nov 01.06 | Helpforcharities.com Inc. launches new online charitable giving service: Gift Catalogue



The Gift Catalogue System provides donors with the ability to control how they
direct their donations. read more

Oct 10.06 | FIVE LEADING PAYMENT BRANDS UNITE TO STRENGTHEN GLOBAL DATA SECURITY

WAKEFIELD, Mass. Sept. 7, 2006 - American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International today jointly announced the formation of an independent council designed to manage the ongoing evolution of the Payment Card Industry (PCI) Data Security Standard, which focuses on improving payment account security throughout the transaction process. read more

ARCHIVE