The Urban Institute’s National Center for Charitable Statistics (NCCS) recently discovered unauthorized access of its Form 990 Online and e-Postcard filing systems for some 850,000 organizations. The unauthorized access affected nonprofit users of IRS Forms 990, 990-EZ, and 990-N (e-Postcard). It also affected users of Form 8868 extensions and filings for charities in New York, Michigan and Hawaii.
An email alert was sent to affected users today but there were indications of suspicious activity in the e-Postcard system on Jan. 7, according to Media Relations Manager Stuart Kantor. At that time it was unclear what exactly had been compromised but on Jan. 23 there was evidence that e-Postcard user accounts were accessed. Beginning Jan. 24, users were prompted to change their passwords when they came to the site, he said.
An investigation revealed the full scope of the intrusion on Feb. 4, including which user accounts for both e-Postcard and the Form 990 Online were accessed. “We took the extra step of prompting Form 990 Online users to change their passwords as well and started preparing our notification process,” Kantor said in an email.
The Urban Institute estimates that about 1.1 million users in the combined databases were accessed: 1 million for e-Postcard and 90,000 for Form 990 Online. About 850,000 organizations are represented in the system, with some having more than one user.
The username, first and last name, email address, IP address, phone number and password associated with an organization were compromised. “Once we discovered the attack, we contacted IRS and made every effort to secure the systems and user accounts,” Elizabeth Boris, director of the Center on Nonprofits and Philanthropy, said in an email alert to affected organizations. “We are working with law enforcement agencies as they conduct an investigation. In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security,” she wrote.
“Currently we believe no information from the filings themselves was compromised,” she said. Sensitive information, such as Social Security numbers or credit card data are not included on such forms.
If organizations use the same password for its Form 990 Online and e-Postcard as they do for other websites or applications, Boris encouraged organizations to change those immediately in each instance, as well as on these systems.