Thursday, November 8, 2007

Nonprofits' Data Breached Yet Again In Software Attack

By Mark Hrywna
Salesforce.com is the second software vendor to nonprofits this week to announce a data breach. The firm alerted its clients of phishing attempts and the security breach. The most recent phishing attempts included malware, software that secretly installs viruses or key loggers.

Salesforce.com sent security alerts to customers regarding two recent phishing emails: one titled "FTC" on Oct. 29 and the other "We want to make a order with..." on Nov. 6. The San Francisco-based company refused comment, except for a letter to clients that indicated “a rise in phishing attempts directed at salesforce.com customers over the past few months. The firm has more than 30,000 clients, fewer than 10 percent of which are nonprofits. The firm offers small organizations licenses for up to 10 users at no cost.

The announcement came three days after Convio announced it had a security breach with at least 92 clients, as previously reported on http://www.nptimes.com/.

“When we first saw signs of this sudden rise, we conducted a thorough analysis,” according to the salesforce.com announcement....

Click Here to Read Complete Article...

Tuesday, November 6, 2007

92 Convio Clients Hit In Security Breach

Firm says no financial data was accessed
By Mark Hrywna

Nearly 100 clients of nonprofit software provider Convio had their data breached after an unauthorized third party was able to access email addresses and in some cases passwords.

Only clients on the GetActive platform were affected -- none on Convio’s platform – with unauthorized downloads of email addresses and passwords against 92 clients, about 7 percent of the company’s 1,300 clients, almost half of which use GetActive. Convio acquired GetActive earlier this year.

Downloads were made against another 62 clients but were not executed and did not result in data loss. Email addresses and passwords could be used for phishing scams and if combinations match access information, possibly online service providers like PayPal.

Convio declined to identify the organizations breached. The NonProfit Times uses the system to deploy e-letters but was not breached.

The attack was discovered late in the day on Nov. 1 and occurred sometime after Oct. 23. “It was a very sophisticated attack. It took us longer than we would have liked to recognize,” said Convio CEO Gene Austin. Some of the tasks the intruder performed were routine, as if it was an administrator on the system, he said.

The intruder attempted to harm a donation page for a site “and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them,” Austin said. The intruder began the attack by being routine, and now “we’re watching those standard routines much, much more closely,” he said.

Where fraud is occurring at nonprofits

It is a sad fact that fraud has taken place at nonprofit organizations, just as it has out in the for-profit and bureaucratic world.

At the American Institute of Certified Public Accountants Not-For-Profit Industry Conference, Gerard M. Zack, president of Zack Accounting and Consulting and founder of the Nonprofit Resource Center Inc., outlined the recent trends that are showing up in nonprofit fraud.

According to Zack, a 2006 study showed that private companies had 36.9 percent of fraud cases, public companies 31.7 percent, government agencies 17.6 percent and nonprofits 13.9 percent. The median loss was $100,000.

He noted that while traditional check tampering and disbursements continue to be prevalent, certain varieties within those areas have become apparent.

They are:

  • A significant increase in cases involving corruption, including kickbacks, bribes and undisclosed conflicts of interest;
  • An increase in cases involving electronic access to or theft of data, sometimes while employees are working off site, hacking into networks, etc.;
  • An increase in external attempts at check tampering and electronictransfers from NPO accounts;
  • An increase in cases in which a nonprofit is held liable for fraudsperpetrated by its employees or agents against others; for example, an employee steals credit card information of a member of the organization; and,
  • An increase in the use of sham or impersonator charities.

This article is from NPT Weekly eNewsletter, a publication of The NonProfit Times. Subscribe to NPT Weekly or any of our other enewsletters and get the latest nonprofit news and stories delivered to your inbox.