By Mark Hrywna
Nearly 100 clients of nonprofit software provider Convio had their data breached after an unauthorized third party was able to access email addresses and in some cases passwords.
Only clients on the GetActive platform were affected -- none on Convio’s platform – with unauthorized downloads of email addresses and passwords against 92 clients, about 7 percent of the company’s 1,300 clients, almost half of which use GetActive. Convio acquired GetActive earlier this year.
Downloads were made against another 62 clients but were not executed and did not result in data loss. Email addresses and passwords could be used for phishing scams and if combinations match access information, possibly online service providers like PayPal.
Convio declined to identify the organizations breached. The NonProfit Times uses the system to deploy e-letters but was not breached.
The attack was discovered late in the day on Nov. 1 and occurred sometime after Oct. 23. “It was a very sophisticated attack. It took us longer than we would have liked to recognize,” said Convio CEO Gene Austin. Some of the tasks the intruder performed were routine, as if it was an administrator on the system, he said.
The intruder attempted to harm a donation page for a site “and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them,” Austin said. The intruder began the attack by being routine, and now “we’re watching those standard routines much, much more closely,” he said.