Many nonprofit organizations received an email yesterday, February 24, 2015, from the National Center for Charitable Statistics (NCCS) informing them of a data breach within NCCS’ Form 990 Online and e-Postcard filing systems.
Hackers accessed usernames, first and last names, email addresses, IP addresses, phone numbers and passwords for approximately 700,000 registered users of these sites. Other publicly available information specific to nonprofits was also accessed, such as employer identification numbers and names and addresses for organizations. NCCS has confirmed no social security numbers or credit card information was obtained through the breach.
The investigation into who is behind the hack is still active and NCCS is working with law enforcement and a cybersecurity firm as part of this process. The Form 990 Online and e-Postcard filing systems have been rebuilt on new, secured servers and users are able to access and timely file their tax information without interruption.
What should you do if you received the letter?
- Change your Password: NCCS is requiring all registered users to change their passwords. In addition, if users use that same password for other sites, NCCS is encouraging them to change it on those sites, as well.
- Communicate with your Board: Whether through a short email or quick phone calls, let your board members know what happened and help them put the risk in perspective.
- Prepare a Plan for Donor Communication: NCCS is not currently aware of any compromised Schedule B information, but stated the investigation is ongoing. Schedule B is part of the Form 990 and Form 990-EZ and is not available for public inspection. The schedule contains names and addresses of contributors. If NCCS determines that that information was obtained, then having a donor communication plan that is ready to launch will save you from strategizing under intense time-pressure.
Our recent blog post on Safeguarding Trust with IT Security, provides a starting point of considerations as you evaluate your current IT security strategy.