Donor, Nonprofit Data Security Lapse at DonorView

Hundreds of thousands of donors and an unknown number of charities and businesses might have had private information exposed as the result of a security lapse involving fundraising and donor management platform DonorView.

Exactly how long the security lapse went undetected is still unclear. A spokesperson for DonorView said it was quickly addressed, but the researcher who brought it to the company’s attention told The NonProfit Times the data was likely exposed for at least a week before the issue was fixed.

“A researcher reached out to us about a potential vulnerability on one of our temporary storage areas. Our team acted quickly on it and resolved the issue, and we do not believe that the data was accessed or ever made publicly available,” according to Melissa Whitley, a DonorView support team member.

She declined to provide further comment.

Nearly 950,000 donor records might potentially have been at risk, according to a published report by cybersecurity researcher Jeremiah Fowler recounting his discovery of the incident. “DonorView claims to have over 200,000+ users on its website, but with the database containing just under a million documents, it is unclear exactly how many donors were affected,” he wrote in a post on security blog VPN Mentor.

In a subsequent email, Fowler told The NonProfit Times he discovered the lapse on or about Oct. 9 and reported it to DonorView through the company’s online support system on Oct. 11. “I checked it again on 10/16 and I could see that the records were still exposed, so I sent a second responsible disclosure notice. Several days later I checked a third time and noticed access was closed. Unfortunately, I never received any reply,” Fowler wrote.

The potentially compromised records are believed to have included payment methods (PayPal, Venmo, check and credit card information) and other personally identifiable information such as donor names, addresses, phone numbers, emails and more. Proprietary information involving individual charities and businesses that donated to them might have also been exposed.

Access to MinistryWatch content is free.  However, we hope you will support our work with your prayers and financial gifts.  To make a donation, click here.

“Among other potentially sensitive information in the database, I saw a document that raised money for children through a hospital charity that contained various details including the child’s name, attending doctor’s name, outlined medical conditions, and waivers indicating whether the child’s image could be used for marketing purposes,” according to Fowler.

Several well-known charities are listed as clients on the DonorView website including Boys & Girls Clubs of America, Habitat for Humanity, Meals on Wheels, and more. Fowler said it’s incumbent on DonorView and other companies that provide services to them to use the latest encryption technology and to have protocols for immediately and transparently notifying users in the event of any data breach or potential compromise. However, it is unclear if notification was provided to them.

“Backup data is still data,” Fowler told The NonProfit Times. “I always say that the data of the people you serve is equally as valuable as the products or services you sell.”

Fowler stopped short of accusing company officials of dragging their feet on the matter but expressed concern at the apparent delay in addressing it. “The cloud storage database was accessible to anyone with an internet connection and required no real specialized tools other than a native open-source browsing tool to view the documents,” he told The NonProfit Times. “The fact that it remained open for days after my notification is troubling. When data is publicly exposed every second counts and each day increases the potential risks of the data falling into the hands of malicious actors.”

Had a ransomware gang or other bad actors found it prior to Fowler, there’s no telling what might have happened. “Only DonorView would know who else may have accessed the records and the timeline of exposure,” according to Fowler. “It is not my intention to imply wrongdoing or to suggest that exposed records, charities, or individuals were ever at risk. My objective is purely to contribute to heightened cybersecurity awareness and to advocate for robust data protection measures across digital platforms and repositories.”

Fowler initially discovered the breach through a web mapping project he uses to conduct port scans to identify open ports, according to VPN Mentor spokesperson Lisa Taylor. “Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data,” she told The NonProfit Times.

This article was originally published by The NonProfit Times.

TO OUR READERS:  Do you have a story idea, or do you want to give us feedback about this or any other story? Please email us: [email protected]