[Dataloss] fringe: Hacker Breaches Marketing Software Maker

security curmudgeon jericho at attrition.org
Fri Nov 30 22:12:16 UTC 2007 

So far, there is no proof or evidence that PII was compromised. However, 
some of the articles and quotes from Convio are suspicious to me. ".. had 
to do with passwords and e-mail addresses and not anything more severe". 
When you log in to the site as one of the clients, it seems odd that the 
page would not show a little more information about the account, be it a 
name, login ID or something. - jericho

---------- Forwarded message ----------
From: Joel Baumgartner <beautiful.scarredme at yahoo.com>

  AUSTIN (AP) -- A marketing software company serving nonprofits across the 
country including The American Red Cross said Tuesday that a hacker stole 
e-mail addresses and password information from its clients' databases.
  Tad Druart, a spokesman for Austin-based Convio Inc., said the company 
has notified federal authorities of a data breach between Oct. 23 and Nov. 
1. The hacker used an employee's password to get at the data, Druart said.
  No Social Security numbers or bank account information was stolen, Druart 
said. He said the company immediately notified the 92 companies affected, 
though he would not name them, and it wasn't known how much information 
was compromised.
  Red Cross spokeswoman Stephanie Millian confirmed that roughly 278,000 
e-mail addresses and a smaller number of passwords were taken from a Red 
Cross blood drive Web site that ran on Convio's software. She said the Red 
Cross notified affected users Nov. 14.
  "We were fortunate in that this had to do with passwords and e-mail 
addresses and not anything more severe," Millian said.
  Convio, which has filed papers to prepare for an initial public offering, 
has 1,200 clients. Only clients using a program called GetActive, which 
Convio acquired in March, were affected by the hacker, Druart said. It was 
the first time the company's online security has been compromised, he 
added.
  Convio said it continues to investigate the breach and has hired outside 
security experts and taken other measures to prevent future attacks.

More information about the Dataloss mailing list