Wednesday, February 25, 2015

Nonprots, please note: Security Alert for Form 990 Online and 990-N e-Postcard

From Form990.org:

The Urban Institute’s National Center for Charitable Statistics (NCCS) recently discovered that an unauthorized party or parties have gained access to the Form 990 Online and e-Postcard filing systems for nonprofit organizations. This unauthorized access affected nonprofits that used IRS Forms 990, 990-EZ, and 990-N (e-Postcard). It also affected users of Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

Once we discovered the attack, we contacted IRS and made every effort to secure the systems and user accounts. We are working with law enforcement agencies as they conduct an investigation. In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security. Our investigation is ongoing.

Based on current information, we believe no information from the filings themselves was compromised. These forms do not contain Social Security numbers or individual tax filer information, so such sensitive information was not available to the hackers. Copies of the 990 returns, including the e-Postcard, are public documents that are released by the IRS annually.

If you use these systems on behalf of your nonprofit, we strongly encourage you to change your password immediately. If you use the same password for your organization’s Form 990 Online and e-Postcard that you do for other websites or applications, we strongly encourage you to change it immediately in each of those instances.

To change your password on Form 990 Online, click here.

To change your password for e-Postcard (990-N), click here.

To enhance security, all users accessing the Form 990 and e-Postcard systems are also being required to change their passwords upon logging in, or were when they logged in most recently.

The Urban Institute has a strong commitment to privacy and data security and will continue to work diligently to protect your organization’s data. We apologize for this disruption and any inconvenience this incident may cause our users.

If you have any questions, please consult the FAQ below. You may also contact us at security@form990.org or at 1-800-564-9110.
Sincerely,

Elizabeth T. Boris
Director, Center on Nonprofits and Philanthropy

FAQ

How will I know if I my nonprofit’s information was accessed?
The intruders gained access to information on all registered users for the nonprofit organizations that have used IRS Forms 990, 990-EZ, and 990-N (e-Postcard) on these systems. This also affects registered users for IRS Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

If you have used these systems, it is likely that some of your information was accessed. All users were sent an email notification by the Urban Institute.

What information was accessed?
Usernames, first and last names, email addresses, IP addresses, phone numbers, and passwords were accessed. Other publicly available information may have been accessed as well, such as the Employer Identification Number (EIN), name, and address of the nonprofit organization. To our knowledge, the filings themselves (Form 990, 990-EZ, and state registration and renewal information) were not compromised. Our investigation is ongoing.

How do I know if my username and password were compromised?
We have notified all users of the systems by email. If you have accessed any of these systems, you should assume your username and password were compromised, regardless of whether you received an email.

What should I do if my username and password were compromised?
Change your password immediately. If you use the same password on other sites, please change it there as well.

Was my personal information, including Social Security number, accessed?
No. Forms 990, 990-EZ, 990-N, and Form 8868 extensions do not include personal Social Security numbers or individual tax filer information, so such sensitive information was not available to hackers.

Was my credit card information accessed?
No. Forms 990, 990-EZ, 990-N, and Form 8868 extensions do not include credit card information; therefore, such sensitive information was not available to hackers.

If you made a payment for Form 990 Online through PayPal, that information is visible only to PayPal and was never visible to or stored on the affected system.

Do you provide credit monitoring?
No. These forms and systems do not include credit card information or Social Security numbers, so such sensitive information was not available to the hackers.

Were Schedule B forms accessed?
We have not found any evidence that Schedule B (donor lists) forms were accessed. Our investigation is ongoing.

Does this incident affect 1040s and individual filers preparing their tax returns?
No. This system is designed and used only for nonprofit organizations, not for individuals. Individuals cannot file tax returns using these forms and systems.

I need to file my nonprofit organization’s 990, which is due May 15. Is your system secure, and may I proceed with the filing?
Yes. The system has been secured and is fully operational. To eliminate risks, both systems were rebuilt on new, secured servers. You may file your e-Postcard at any time, and the 2014 Form 990 and 990 E-Z will be available at the end of March.

Does this affect other systems or data housed by the Urban Institute or the National Center for Charitable Statistics?
No. We have confirmed that the unauthorized access was limited to this particular system and server. No other servers were compromised.

Who are the unauthorized parties that accessed your system?
Urban Institute is working closely with law enforcement to investigate the attack. The investigation is ongoing. We do not know who is responsible at this time.

What is the Urban Institute’s connection to Form 990 Online and e-Postcard?
Urban Institute is home to the Center on Nonprofits and Philanthropy (CNP) and the National Center for Charitable Statistics (NCCS). NCCS works with the IRS, state charity officials, policymakers and researchers to collect and analyze data on the nonprofit sector. It also offers assistance and information directly to nonprofits.

In 2000, NCCS began work on electronic filing of state and federal forms and was one of the first organizations to offer electronic filing with the IRS beginning in 2004.

In 2007, NCCS adapted its e-filing technology so that small organizations could complete the e-Postcards that the Congress mandated in the Pension Protection Act of 1996.

NCCS, CNP, and the Urban Institute play no role in evaluating, screening, or assessing nonprofit organizations’ returns. Returns are forwarded directly to the IRS.




No comments: