Website Data Breach at Maine Nonprofit Exposes Donor Info

 

Lock
Maksim Kabakou / Shutterstock.com

February 7, 2013; Source: Bangor Daily News

It’s kind of scary how your computer system might reveal information that you don’t think you intended to share with the general public. In Brunswick, Maine, a nonprofit organization called People Plus happened to mistakenly post on its website a database of a portion of its membership, including how much each member contributed along with their address, telephone number, birthday, spouse or partner name, and emergency contact information. The database even had buttons allowing viewers to edit or delete the information or to download the entire database as a spreadsheet. Apparently the information was visible and searchable for two weeks before People Plus took it down this week. Even though the database was taken down, some of the information was still accessible on Google in a couple of different forms, including cached versions on Google servers.

People Plus Executive Director Stacy Frizzle said she had not been aware of the problem until contacted by a reporter. Frizzle acted quickly to shut down the organization’s website and remove the database, but the damage was already done. Frizzle attempted to contact each member who was listed on the database, as she should have. It also appears that there was no disclosure of information that would exacerbate identity theft concerns, such as social security numbers or credit card information, although members may not appreciate having their phone numbers and donation amounts revealed.

People Plus looks like a small nonprofit designed to promote a healthy, independent life and lifestyle for older adults. Originally known as the 55 Plus Center, it accomplishes its mission through programs that are clearly multi-generational, leading to its inclusion of a teen center for Brunswick youth. On its last Form 990 posted on Guidestar, People Plus showed total expenses for the 2010-2011 fiscal year of $265,298, of which $226,036 went to the operation of its community center. According to its annual report, its operating budget grew to $272,143 for 2011-2012, supporting a nine-person staff complement.

There seems to be no evidence that People Plus intentionally spurned its small-donors members’ desire that key information about their personal lives would not be posted on the organization’s website (note: the annual report lists every donor by name). Rather, it seems that the organization suffered a glitch and no one noticed until a reporter stumbled over the information. Are there other small nonprofits that have found themselves at the mercy of inexplicable and unwanted data releases?—Rick Cohen

About

Rick Cohen

Rick joined NPQ in 2006, after almost eight years as the executive director of the National Committee for Responsive Philanthropy (NCRP). Before that he played various roles as a community worker and advisor to others doing community work. He has also worked in government. Cohen pursues investigative and analytical articles, advocates for increased philanthropic giving and access for disenfranchised constituencies, and promotes increased philanthropic and nonprofit accountability.