Nearly a million non-profit donors' details left exposed in unsecured database
Trusted by major charities, DonorView publicly exposed children’s names and addresses, among other data
Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database.
The database is owned and operated by DonorView – provider of a cloud-based fundraising platform used by schools, charities, religious institutions, and other groups focused on charitable or philanthropic goals.
Infosec researcher Jeremiah Fowler found 948,029 records exposed online including donor names, addresses, phone numbers, emails, payment methods, and more.
Manual analysis of the data revealed what appeared to be the names and addresses of individuals designated as children – though it wasn't clear to the researcher whether these children were associated with the organization collecting the donation or the funds' recipients.
Another document seen by Fowler revealed children's names, medical conditions, names of their attending doctors, and information on whether the child's image could be used in marketing materials – though in many cases this was not permitted.
In just a single document, more than 70,000 names and contact details were exposed, all believed to be donors to non-profits.
Neither Fowler nor The Register has received a response from the US-based service provider, though Fowler said it did secure the database within days of him filing a disclosure report.
- 23andMe responds to breach with new suit-limiting user terms
- Hershey phishes! Crooks snarf chocolate lovers' creds
- Regulator says stranger entered hospital, treated a patient, took a document ... then vanished
- Plex gives fans a privacy complex after sharing viewing habits with friends by default
DonorView claims to have more than 150,000 users, including major organizations such as Habitat for Humanity and Meals on Wheels America.
Although the database is now secure, Fowler noted that the length of time for which the information was exposed couldn't be determined – nor was it clear if the data had been accessed by unauthorized parties.
The finding illustrates the importance of keeping databases secure, and will likely raise alarm over the potential for phishing attacks against donors whose information was exposed.
"Any data incident that exposes donor information is a significant concern," argued Fowler. "Hypothetically, criminals would have sufficient information to contact donors and pose as a charity or cause donors have previously supported and are passionate about, to initiate a fraudulent donation request.
"The database even contained donor templates that could be modified and sent to prospective donors. Criminals could potentially create similar email addresses and contact donors to update their payment information. In such situations, the criminal could then ask for credit card and banking information or additional personal data.
"With insider knowledge and the donor's history details, the victim would have no immediate reason to suspect potential fraud." ®