Where and when did the security breach occur?
The breach by an outside party occurred between October 23 and November 1, 2007 on the network of Convio, Inc., an online services firm with whom AMC partners to provide e-newsletter services to the AMC community. Convio reports that "the attack was perpetrated by an outside party commandeering the account of a Convio staff member. Working as an authorized administrator, the intruder was then able to access client data."
The breach did not occur on any computer or network owned or maintained by the AMC.
When did you learn of the breach?
AMC first learned of the breach on Monday, November 7, 2007. At the time, Convio, Inc. did not believe that AMC data had been affected. On November 15, 2007, Convio, Inc. notified AMC that in response to new information acquired during a forensic investigation, there is a reasonable probability that the intruder did, in fact, acquire email addresses and user-generated passwords for 4,400 AMC constituents. This security breach affects less than 10% of subscribers to AMC e-newsletters.
What was the AMC’s response to the breach?
AMC worked with Convio on Thursday and Friday, November 15-16, to gather information regarding exactly what data was exposed, and from which people. Once accurate information was obtained from Convio, affected individuals were contacted by AMC via email on Friday evening.
AMC also worked with Convio to reset all passwords of AMC constituents on Friday, November 16 as a precautionary measure. To gain access to your account, follow the link to your "Subscription Management" site at the bottom of the e-mail that you received. From there, you should be able to have your new password mailed to you, or you can log into Convio and change it.
What organizations were affected by the breach?
More than 90 non-profit organizations nationwide were affected by this breach.
Why was this information stored and provided to a third party company?
Many nonprofits outsource email delivery in order to be compliant with current anti-spam regulations and ensure delivery to emails through ISPs like AOL and Earthlink. This information was used only to deliver AMC e-newsletters and was not shared with any other organization.
What kind of information was exposed?
In AMC’s case, for 4,400 subscribers, an e-mail address and associated user-generated password were obtained by an unauthorized third-party as part of this breach. No personally-identifiable information — such as name and address, credit card number or other financial data — was taken. In fact, AMC does not store any such credit card or financial information in the Convio system.
Why or how do you have my e-mail address?
AMC manages several e-newsletters through Convio, including the Conservation Action Network, the Outdoor Connection, the AMC Insider, and the MWI News. Your email address would be stored in the system if you are an AMC member, have recently stayed at an AMC Destination, or have opted in to any of the newsletters listed above.
Can my e-mail account be accessed because of this?
No. What was obtained was the name of the e-mail address and the password specific to accessing Convio’s site, not any passwords or data needed to read your e-mail (unless the password used to access your email is the same as your Convio password).
What action should I take?
Since the information obtained was your e-mail address and a Convio password, you should carefully review your e-mail for messages that seem to come from the AMC and which request personal information like credit card or social security numbers. AMC will never ask you to provide such personal information in an email. Convio has also released some suggestions for online security in general (below).
Instructions on how to update your password will be provided in an email from AMC, sent only to subscribers impacted by this security breach. Please follow these instructions closely.
- If you use the same email address and the same password for any other online service, such as your bank or PayPal, places where you shop online (like Amazon), or online email accounts at services like Yahoo, we recommend that you change your password with those providers as soon as possible. If you are not sure whether you used the same password at other services, change your passwords to be on the safe side.
- If you do not re-use the same password with other online services, you do not need to take any further action, and are following good Internet security practices.
- We also recommend that you be on the alert regarding email that appears to be from a brand-name organization and urges you to visit a Web site to provide personal or financial information because your account may have been compromised or deactivated. Neither Convio, GetActive nor any of our nonprofit clients will ever ask you to provide such personal information via an email. You should not visit the Web site being promoted and should delete any such email you receive."
- You may also want to monitor your own credit activity.
Does this relate to other online transactions at AMC, such as membership registrations, renewals, donations, lodging reservations, etc.?
No. This does not affect any online transactions conducted on Outdoors.org. It is limited to marketing and advocacy e-mails sent through Convio only.
Is there a criminal investigation of this incident?
Convio has reported the breach to the FBI’s Internet Crime Reporting service, and is working with the FBI and independent forensic experts to address the situation.
Who can I contact to learn more information?
Convio has released a statement on their Web site, located at www.convio.com. Convio has informed us that they are staffing a toll-free number for constituents who might have questions. That number is 1-800-501-8193.
For questions specific to the AMC, you may email AMConlinesecurity@outdoors.org; this inbox will be monitored during business hours.
