What did People Plus leak?
Nearly every entry in the leaked People Plus database contained a member’s full name, telephone number, home address, birth date, partner or spouse name, email address, IP address and emergency contact information, which also included a phone number and home address.
Every entry also included whether the member lived alone and how much they donated. People Plus Executive Director Stacy Frizzle said $25 was the standard membership rate, although the largest donation listed was $3,200.
Before the People Plus database was taken down on Monday, Feb. 4, all of the information was easy for an outsider to manipulate: “Edit” and “delete” buttons appeared next to every membership entry in the database.
The database also gave anyone the ability to download it to their computer as a spreadsheet file.
BRUNSWICK, Maine — A security leak that existed for at least two weeks on a nonprofit organization’s website has some of its members concerned their confidential personal information was accessed.
The partial membership database on the People Plus website contained names, telephone numbers, spouse names, home addresses, donation amounts and other personal information. It was available to anyone with an Internet browser between at least Jan. 20 and Feb. 4.
The availability of the 61 entries was discovered by a reporter from The Forecaster on Monday afternoon as part of a page of Google search engine results.
People Plus Executive Director Stacy Frizzle was not aware of the problem until she was questioned by the reporter. Shortly afterwards, she said, she contacted the webmaster, Allen Tucker, who is also a computer science professor at Bowdoin College, and had the information removed.
Within an hour, the organization’s full website was taken down. It was later restored without the database.
“He shut it down immediately,” Frizzle said.
But the data has already rippled beyond the nonprofit’s control: Some, if not most, of the database could still be accessed on Google as of Wednesday morning.
Some names, phone numbers and other information can be found in the Google result pages themselves. There are also cached versions of the database stored on Google’s servers, which means anyone can still access the information with the correct search query and a few mouse clicks.
According to information on the cached pages, Google took a snapshot of the pages on Jan. 20. Whether the data was accessible earlier than that could not be determined.
Frizzle said she contacted Google on Monday to request the removal of 66 cached pages, but added that “it could could take a little bit” of time until they are removed.
People Plus members whose information was part of the leak said they were surprised to learn the information was out in the open — especially since the group’s online membership form promised than what they submitted would be kept “strictly confidential.”
Gloria Yanni of Brunswick said she was surprised the newspaper reporter was able to reach her on her cellphone — a phone number she kept private, until it was listed publicly on the People Plus database.
“I think it’s disturbing,” Yanni said. “I think it’s a security issue for people living alone, especially females.”
Yanni said she works at a law firm as a legal assistant, so she’s “very aware of how that information can be used.” For instance, she said, information about whether an elderly person lives alone — which was part of the People Plus data — could make them vulnerable.
In addition, Yanni said, a security leak like this could even make her vulnerable to unsolicited emails, phone calls or worse.
“I don’t want [people] to know where I live, I don’t want them to know my phone number,” Yanni said. “If they get their hands on it, it’s not OK.”
Michelle Moody of Topsham, whose information was also compromised, noted the caching abilities of search engines like Google make incidents like this hard to contain.
“That’s stuff you would rather not have out there because it could be misused,” Moody said, although she expressed relief that People Plus acted quickly when it learned about the problem.
Mary Sohl of Harpswell, whose data also appeared on the website, said she is “always amazed and a little appalled at the stuff that is out there on the Web.”
“I guess if someone’s looking, there’s going to be one way or another and if it’s just my phone number it doesn’t bother me too much,” Sohl said.
Kaylene Waindle, a spokeswoman for the Maine attorney general’s office, said the office’s consumer protection division handles “many cases related to data breaches,” but “this particular case seems not to trigger” any legal questions.
What went wrong
Frizzle said Tucker, the webmaster, told her a glitch must have occurred when he was switching the nonprofit to a new database management system with a higher security system protocol. She said Tucker was adding information from the nonprofit’s membership database to test the new system.
While some of the information — including phone numbers and home addresses — was verified by The Forecaster, Frizzle said some of the database entries contained dummy information, because Tucker had to fill every field to fully test the new system. She said it didn’t occur to Tucker that anyone would be able to find the information.
She also noted that People Plus has more than 900 members, which means the security leak only represented a small fraction of the membership.
That didn’t satisfy Yanni.
“I don’t care if they had a glitch or not,” she said. “Hire a professional page designer and before you have that information up there, make sure it’s not linked. … I’m not happy about it.”
Frizzle said she has emailed all members who were part of the leaked database to tell them what happened.
“The organization is looking at multiple ways of securing information,” Frizzle said. She said the new security software they will begin to use “is one of the main sources we’re going to use to address security within membership-driven organizations like ours. … Any organization that needs a secure database is running into this problem.”
Troy Jordan, a system security analyst with the University of Maine System, said there are ways to prevent leaks.
“It takes some consideration: someone needs to think along those security lines,” Jordan said. “The other thing you can do is, [for] anyone developing a Web application, [they] need to keep in mind the standard best practices for Web development.”
Jordan also said it’s fortunate that more sensitive information, such as credit card or Social Security numbers, weren’t leaked.
“Unless someone has private unpublished numbers,” he advised, “they don’t have a whole lot to worry about in this case.”
He also noted that this type of security issue is becoming more common, whether because of errors inside an organization or because of a breach from outside.
Last week, a cafe in downtown Portland reported a security breach that compromised customers’ debit card information. Last year, nearly 35,000 TD Bank customers were victims of a security breach that involved their Social Security numbers and bank account numbers.
“They’re happening every day,” Jordan said.