Bob Diachenko of HackenProof.com reports:
Kars4Kids is a charity that asks people to donate their cars, motorcycles, RVs, and real estate. They are most known for their nationwide advertising using their hypnotic theme song where a child and a Johny Cash impersonator sing the phone number and invites people to donate their cars today.
On the 3rd of November, Bob Diachenko, Director of Cyber Risk Research at Hacken has found what appeared to be a publicly accessible MongoDB. Upon further investigation, the data seemed to contain the emails and personal data of 21,612 Kars4Kids donors/customers and super administrator login and password details.
Read more on HackenProof. Zack Whittaker of TechCrunch also reports on the leak that also involved a hack.
But note the problems Bob had with making notification to the charity. It is the same frustrating situation that I have encountered – and reported upon – numerous times. Bob writes:
On the 3rd of November, a notification email was sent to multiple email addresses with no reply and the database remained open until the evening of November 5th. It took 3 hours by phone to reach someone despite telling the volunteers who answer the phones that this is a serious issue and we need to speak with someone in the IT Technology department or senior management. On one occasion the call was forwarded to someone in Israel who could not give me names, contacts, or emails of anyone who could secure the data and told me to call the same main number again.
We understand that it is a common practice to create a buffer zone between the public and senior managers or leadership. However, the most shocking thing was that an organization or company would not have a data breach or crisis action plan for when a report is made. During the notification process, we told anyone who would listen what happened, how important it is and that we must speak with someone to help secure this data urgently. The issue here is that every organization must understand the value of the information they store and collect. They must take every possible step to secure and protect that data. This includes training everyone to be on the same page and enact a data breach protocol for when the worst happens.
To my knowledge, the FTC has only taken enforcement action once for failure to have an incident response plan in place that enabled people to quickly report leaks or breaches. The FTC does not have authority under Section 5 to go after a not-for-profit, so who would do anything about this incident? Would a state attorney general’s office go after a charity that is oriented to helping kids? It might make for bad PR for the office.
Anyway, if anyone received a notification from Kars4Kids, please send a copy along to DataBreaches.net. I’d like to see what they told those affected.