A special report to Downsize DC Donors
We told you in May we were "attacked" by hackers. Those words conjure many thoughts, some misleading. We want to provide more details here...
THURSDAY, APRIL 18
Our Internet service provider updated our mail server. This is usually a routine procedure with no complications. This was one of those “not” times. Various internal emails stopped arriving. Four days later on...
MONDAY, APRIL 22
We realized we weren't getting email notices of credit card contributions and attempts. We asked our mail server manager to fix this. But . . .
He had broken his ribs and collarbone in a motorcycle accident the day before! Surgery was scheduled. I could hear the pain in his voice as we talked on the phone. Our email problem seemed like a low priority, in comparison. But...
If we had been getting our email notices we would've observed what started to happen around 5 PM on...
WEDNESDAY, APRIL 24
Fraudulent contributions were made through our online form.
They continued until...
FRIDAY, APRIL 26
My phone started ringing that morning. Angry people were calling because their cards had been charged by our account. These were complete strangers, NOT DC Downsizers.
Those calls didn't stop until about two weeks ago. Some days there would be seven or eight of them. In total...
- There were more than 4,300 attempts to use our system to make fraudulent charges
- Nearly 1,500 attempts were "successful"
- Leading to a whopping $52,000 in false charges!
We blocked all of this from continuing as soon as we realized it was happening. By the close of business that Friday we provided our credit card merchant account with a list of all the false transactions, so they could be reversed.
I wish that was the end of the story, but we also had to . . .
- Close our checking account
- Change to a new merchant account company
- Create a new online contribution gateway
- MANUALLY transfer a few hundred monthly pledge records to the new merchant account company
Our entire staff was involved in this. Even me. This caused us to neglect other important functions like...
- Media interviews
- New action items
- Programming for the new Zero Aggression website
This amounted to five weeks of stalled progress and frustration. Still, we’ve emerged more secure than before.
We got calls from two supporters who are web security specialists when they heard about the attack. They helped us do a security test. We passed. In addition, we’ve also added . . .
- Extra measures to protect ourselves against this specific type of attack
- Systems to protect against special circumstances and broken collar bones.
It’s important to realize that...
Your personal account information was in no danger at any time.
This was NOT that kind of attack.
Neither do we have any vulnerabilities that would threaten your account in any way.
We were simply the victim of a robo-attack that used our system to make fraudulent credit card charges.
This was NOT done for the gain of the attacker, but simply to harm us, making us waste time and money reversing all the false charges. Which brings us to . . .
A remaining SERIOUS problem
When we transferred our monthly pledges to the new merchant account not all of our data entry was accepted by the new system, even after double-checking. The result?
Our pledge income, UPON WHICH WE RELY, is down 38%.
That spells big trouble, unless those who have monthly pledges with us can take immediate action to help us fix the problem. If you’re a monthly pledger, please do this . . .
- Check your credit card statement.
- If your card was not charged in May or June, then you're part of that nearly 40% loss. And we'd like to ask you to please, as quickly as possible, restart your pledge.
- You can do so using our new EXTRA-SECURE contribution form.
But not everyone receiving this message will read it. Not everyone who does will follow-through to renew, even if they mean to do it later. That's just the way life works. So...
Now would be a great time to increase your monthly pledge of support, if you possibly can.