92 Convio Clients Hit In Security Breach

November 6, 2007       Mark Hrywna      

Nearly 100 clients of nonprofit software provider Convio had their data breached after an unauthorized third party was able to access email addresses and in some cases passwords.

Only clients on the GetActive platform were affected — none on Convio’s platform – with unauthorized downloads of email addresses and passwords against 92 clients, about 7 percent of the company’s 1,300 clients, almost half of which use GetActive. Convio acquired GetActive earlier this year.

Downloads were made against another 62 clients but were not executed and did not result in data loss. Email addresses and passwords could be used for phishing scams and if combinations match access information, possibly online service providers like PayPal.

Convio declined to identify the organizations breached. The NonProfit Times uses the system to deploy e-letters but was not breached.

The attack was discovered late in the day on Nov. 1 and occurred sometime after Oct. 23. “It was a very sophisticated attack. It took us longer than we would have liked to recognize,” said Convio CEO Gene Austin. Some of the tasks the intruder performed were routine, as if it was an administrator on the system, he said.

The intruder attempted to harm a donation page for a site “and that obviously is a nonstandard process very different from normal. Once that happened, we clearly knew something was wrong and caught them,” Austin said. The intruder began the attack by being routine, and now “we’re watching those standard routines much, much more closely,” he said.

Convio alerted those clients most affected by the breach, as well as others using the GetActive and Convio platforms. An intruder obtained the login and password of a Convio employee, but no personally identifiable information, such as financial or credit card data was accessed.

“We immediately spent that night (Nov. 1), and most of the second, understanding the issues as well as eliminating any access points for further intrusion,” Austin said, and the rest of the weekend notifying clients. Each of the communications gave organizations tips on how to communicate and work with their constituents, including recommendations on changing their password and an 800-number to handle future questions.

Since the breach did not involve financial or personal information, it might not be a priority for the FBI, but Convio has submitted everything to authorities, as well as launching its own forensic investigation. “We’re starting to getting pieces of information this week, but we will not have a full picture for two or three weeks. We’ve installed additional monitoring, and doing a number of things to over-tighten the environment. The root cause will not be known until later this month,” he said.

“The most important thing for us now is to focus on clients and make sure they are on their feet as soon as possible,” Austin said. “Certainly we understand they trust us to manage this data. That trust has taken a little hit, and it’s important to regain and rebuild it.”

Convio recommended that clients notify their constituents with user-created passwords that may have been disclosed. In addition, the company recommended clients to be on alert regarding email that “appears to be from a brand-name organization and that encourages you to visit a Web site to provide personal and financial information. Please be assured that we will never ask you to provide such personal information in an email.”

Convio acquired GetActive Software in January for approximately $17 million and filed in August to become a public company. The Initial Public Offering (IPO) is still in its quiet period and under review by the Securities Exchange Commission (SEC). The IPO “is not playing into our decision making as to how we support our clients,” said Tad Druart, director of corporate communications. The quiet period will continue until the actual public offering which Austin said could be in the first quarter of the year or sooner, but it depends on a number of factors.