[BreachExchange] 1-877-KARS4KIDS had a data breach

Destry Winant destry at riskbasedsecurity.com
Wed Nov 14 02:59:39 EST 2018 

https://techcrunch.com/2018/11/13/kars4kids-data-breach/

Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll
have that awful jingle stuck in your head all day.

The New Jersey-based charity has plagued the American airwaves for
years with the “most hated” jingle to try to get consumers to trade in
their car — for the kids! In return, you get to write-off the donation
from your taxes, and you’re given a “holiday voucher” to sweeten the
deal.

But a security lapse left thousands of those donation records exposed
for anyone to find.

Bob Diachenko, Hacken.io’s director of cyber risk research, earlier
this month found the company’s MongoDB database on a server, wide open
and without a password.

The server contained 21,612 records and climbing — representing weeks’
worth of data, Diachenko told TechCrunch, prior to blogging his
findings. The data included donor email addresses and donation
receipts, which included customized links to a donor’s tax receipt. He
also found credentials, which he said could have allowed a hacker to
access far more sensitive data.

Yet it took Kars4Kids two days to pull the database offline after
Diachenko warned of the data exposure, he said.

Diachenko said that Kars4Kids had told him that customers had been
informed, but TechCrunch has found no evidence of the company’s claim.

Kars4Kids spokesperson Wendy Kirwan acknowledged the breach in an
email Tuesday, adding that its “legal team advised that we are not,
according to state law, obligated to inform the NJ Attorney General
about the breach.”

It isn’t known how long the database was exposed, but Dianchenko said
he wasn’t the first to discover the database. A note left in the
database by a hacker claimed to have “downloaded and backed up;” the
hacker demanded bitcoin in exchange for the data’s safe return.

The breach represents a portion — though not all — of the cars that
Kars4Kids receives annually — reportedly tens of thousands each year.
The nonprofit has been criticized over the handling of its finances,
and currently has a “moderate concern” rating from independent
evaluator Charity Navigator.

More information about the BreachExchange mailing list