When a Hacker Strikes an E-mail Service Provider

Nonprofit organizations using Convio, an e-mail service provider, were recently forced to put their crisis management strategies to work after the vendor’s computer system was hacked.

Convio revealed this month that a hacker obtained an employee’s log-in and password for one of its software platforms, logged in, grabbed an undisclosed number of e-mail addresses and passwords from 92 nonprofit and advocacy organizations, and prepared to download records for another 62 clients. Convio customers reportedly affected by the breach include the American Museum of Natural History, CARE, and the American Red Cross.

In an action believed to be isolated to another Convio client, the University of Connecticut Foundation, the hacker obtained partial credit card account numbers for about a dozen donors.

For the record, Tad Druart, Convio’s corporate communications director, says the data doesn’t appear to have been misused. The company, he said, reported the breach to law enforcement officials and has taken measures to improve security immediately and for the long term. Convio’s security director wasn’t available for an interview.

Convio’s incident is minor compared to other data breaches, especially last year’s theft of credit and debit card information from TJX Companies’ computer systems.

Still, this case serves as a cautionary tale for e-mail marketers. It’s no secret: security concerns can hurt brand loyalty.

The average cost of a security breach in 2007 is $197 per record, according to a Ponemon Institute study sponsored by two security software vendors. Lost business accounts for $128 per record, followed by follow-up activities, such as ex-post response ($46), customer notification ($15), and breach detection ($9).

Consider UConn Foundation’s multipronged response to the incident. Telephone calls were made to one dozen donors whose partial credit card numbers were exposed and to 150 others whose e-mail addresses and passwords to the Convio system were swiped, says Art Sorrentino, the foundation’s spokesman. The UConn Foundation e-mailed another 89,000 constituents whose e-mail addresses were exposed. Online, the UConn Foundation provides updates and explains what the breach means.

“We prefer to err on the side of caution, and give people more information,” Sorrentino says. Once learning of the breach, the foundation’s team developed its action plan.

Some history on Convio: The Austin, Texas, based company’s customers are nonprofit and advocacy groups; it helps these organizations collect and manage donations online and, in some cases, runs their e-mail service. Business took off four years ago after Howard Dean’s presidential campaign used its software to help raise millions.

Fast-forward to 2007: Convio has its sights set on becoming an even bigger player, filing for an initial public offering of its stock in August and acquiring rival GetActive in February. (The breach affected customers using the GetActive platform.)

While some might be inclined to dismiss Convio’s breach as harmless, not everyone sees it that way.

“If you’re one of those affected, this breach becomes big to you,” says Mike Spinney, communications director of the Ponemon Institute, an organization that preaches responsible information and privacy management practices.

Data breaches occur in an assortment of ways. The Ponemon study, released this week, finds the loss or theft of a laptop or another device accounts for one in two breaches; while a third party or outsourcer is the most significant source in 16 percent of the incidents.

Laptops are typically stolen for the hardware, and not for the information they hold, Spinney says. Convio’s breach is troubling, he says, because someone appeared to be seeking specific information that could be used to commit fraud.

“The information obtained can be very valuable to a skilled social engineer to carry out phishing scams and other types of fraud. Just because a SSN [Social Security number] or credit card account isn’t part of the haul doesn’t mean the information is of no use,” Spinney wrote in a follow-up e-mail to ClickZ.

How should marketers respond to a breach, including those stemming from partners and vendors? Consider this advice from the Ponemon Institute:

• Avoid a breach. “Do things in advance so you don’t face the situation,” Spinney advises. That includes assessing your security risk and those of third-party partners before an incident occurs.
• Don’t let your guard down. Building in safeguards involves more than installing security software. People must be educated and processes adopted to avoid breaches. “You need good technology and good people who follow best practices,” Spinney says.
• Comply with laws. Report the data breach to law enforcement officials. For its part, Convio reported the breach to the FBI’s national Internet crime unit. Keep in mind that 35 states, including California, require businesses and other organizations to notify customers and others when personal information has been compromised by unauthorized access.
• Communicate with customers. In addition to notifying those personally affected by a breach, ensure they understand the breadth and potential risks and offer them specific measures to thwart fraud.
• Review security processes, again. Convio hired third parties to perform a security audit and to help with its investigation and work with law enforcement agencies. It also took immediate steps, such as reducing the number of people who have access to its platforms, and revoked and reissued administrator passwords.

What lessons can be learned from Convio’s breach?

“This is the cost of doing business using electronic media,” says UConn Foundation’s Sorrentino. “The best thing we can hope to do is catch it early and do the right thing by contacting those affected, and making sure we take every step possible to protect them.”

Join us for SES Chicago on December 3-6 and training classes on December 7.