INSUBCONTINENT EXCLUSIVE:
Bad news: 1-877-KARS4KIDS had a data breach
Worse news: now you&ll have that awful jingle stuck in your head all day.
The New Jersey-based charity has plagued the American airwaves for
years with the &most hated& jingle to try to get consumers to trade in their car — for the kids! In return, you get to write-off the
donation from your taxes, and you&re given a &holiday voucher& to sweeten the deal.
But a security lapse left thousands of those donation
records exposed for anyone to find.
Bob Diachenko, Hacken.io director of cyber risk research, earlier this month found the company MongoDB
database on a server, wide open and without a password.
The server contained 21,612 records and climbing — representing weeks& worth of
data,Diachenko told TechCrunch, prior to blogging his findings
The data included donor email addresses and donation receipts, which included customized links to a donor tax receipt
He also found credentials, which he said could have allowed a hacker to access far more sensitive data.
Yet it took Kars4Kids two days to
pull the database offline after Diachenko warned of the data exposure, he said.
Diachenko said that Kars4Kids had told him that customers
had been informed, but TechCrunch has found no evidence of the company claim.
Under state law, Kars4Kids is obligated to inform New Jersey
attorney general of the breach.
Kars4Kids spokesperson Wendy Kirwan did not respond to a request for comment sent prior to publication.
It
isn&t known how long the database was exposed, but Dianchenko said he wasn&t the first to discover the database
A note left in the database by a hacker claimed to have &downloaded and backed up;& the hacker demanded bitcoin in exchange for the data
safe return.
The breach represents a portion — though not all — of the cars that Kars4Kids receives annually — reportedly tens of
The nonprofit has been criticized over the handling of its finances, and currently has a &moderate concern& rating from independent
evaluator Charity Navigator.
Gift Guide: The best security and privacy tech to keep your friends safe
