Nonprots, please note: Security Alert for Form 990 Online and 990-N e-Postcard

By -
From Form990.org:

The Urban Institute’s National Center for Charitable Statistics (NCCS) recently discovered that an unauthorized party or parties have gained access to the Form 990 Online and e-Postcard filing systems for nonprofit organizations. This unauthorized access affected nonprofits that used IRS Forms 990, 990-EZ, and 990-N (e-Postcard). It also affected users of Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

Once we discovered the attack, we contacted IRS and made every effort to secure the systems and user accounts. We are working with law enforcement agencies as they conduct an investigation. In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security. Our investigation is ongoing.

Based on current information, we believe no information from the filings themselves was compromised. These forms do not contain Social Security numbers or individual tax filer information, so such sensitive information was not available to the hackers. Copies of the 990 returns, including the e-Postcard, are public documents that are released by the IRS annually.

If you use these systems on behalf of your nonprofit, we strongly encourage you to change your password immediately. If you use the same password for your organization’s Form 990 Online and e-Postcard that you do for other websites or applications, we strongly encourage you to change it immediately in each of those instances.

To change your password on Form 990 Online, click here.

To change your password for e-Postcard (990-N), click here.

To enhance security, all users accessing the Form 990 and e-Postcard systems are also being required to change their passwords upon logging in, or were when they logged in most recently.

The Urban Institute has a strong commitment to privacy and data security and will continue to work diligently to protect your organization’s data. We apologize for this disruption and any inconvenience this incident may cause our users.

If you have any questions, please consult the FAQ below. You may also contact us at security@form990.org or at 1-800-564-9110.
Sincerely,

Elizabeth T. Boris
Director, Center on Nonprofits and Philanthropy

FAQ

How will I know if I my nonprofit’s information was accessed?
The intruders gained access to information on all registered users for the nonprofit organizations that have used IRS Forms 990, 990-EZ, and 990-N (e-Postcard) on these systems. This also affects registered users for IRS Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

If you have used these systems, it is likely that some of your information was accessed. All users were sent an email notification by the Urban Institute.

What information was accessed?
Usernames, first and last names, email addresses, IP addresses, phone numbers, and passwords were accessed. Other publicly available information may have been accessed as well, such as the Employer Identification Number (EIN), name, and address of the nonprofit organization. To our knowledge, the filings themselves (Form 990, 990-EZ, and state registration and renewal information) were not compromised. Our investigation is ongoing.

How do I know if my username and password were compromised?
We have notified all users of the systems by email. If you have accessed any of these systems, you should assume your username and password were compromised, regardless of whether you received an email.

What should I do if my username and password were compromised?
Change your password immediately. If you use the same password on other sites, please change it there as well.

Was my personal information, including Social Security number, accessed?
No. Forms 990, 990-EZ, 990-N, and Form 8868 extensions do not include personal Social Security numbers or individual tax filer information, so such sensitive information was not available to hackers.

Was my credit card information accessed?
No. Forms 990, 990-EZ, 990-N, and Form 8868 extensions do not include credit card information; therefore, such sensitive information was not available to hackers.

If you made a payment for Form 990 Online through PayPal, that information is visible only to PayPal and was never visible to or stored on the affected system.

Do you provide credit monitoring?
No. These forms and systems do not include credit card information or Social Security numbers, so such sensitive information was not available to the hackers.

Were Schedule B forms accessed?
We have not found any evidence that Schedule B (donor lists) forms were accessed. Our investigation is ongoing.

Does this incident affect 1040s and individual filers preparing their tax returns?
No. This system is designed and used only for nonprofit organizations, not for individuals. Individuals cannot file tax returns using these forms and systems.

I need to file my nonprofit organization’s 990, which is due May 15. Is your system secure, and may I proceed with the filing?
Yes. The system has been secured and is fully operational. To eliminate risks, both systems were rebuilt on new, secured servers. You may file your e-Postcard at any time, and the 2014 Form 990 and 990 E-Z will be available at the end of March.

Does this affect other systems or data housed by the Urban Institute or the National Center for Charitable Statistics?
No. We have confirmed that the unauthorized access was limited to this particular system and server. No other servers were compromised.

Who are the unauthorized parties that accessed your system?
Urban Institute is working closely with law enforcement to investigate the attack. The investigation is ongoing. We do not know who is responsible at this time.

What is the Urban Institute’s connection to Form 990 Online and e-Postcard?
Urban Institute is home to the Center on Nonprofits and Philanthropy (CNP) and the National Center for Charitable Statistics (NCCS). NCCS works with the IRS, state charity officials, policymakers and researchers to collect and analyze data on the nonprofit sector. It also offers assistance and information directly to nonprofits.

In 2000, NCCS began work on electronic filing of state and federal forms and was one of the first organizations to offer electronic filing with the IRS beginning in 2004.

In 2007, NCCS adapted its e-filing technology so that small organizations could complete the e-Postcards that the Congress mandated in the Pension Protection Act of 1996.

NCCS, CNP, and the Urban Institute play no role in evaluating, screening, or assessing nonprofit organizations’ returns. Returns are forwarded directly to the IRS.




Comments

Post a Comment

Popular posts from this blog

New York State County ZIP Codes

By -
The Empire State Development Library created a list of the NYS County zip codes arranged alphabetically. "Please note: Zip codes bear no relation to county or other administrative boundaries. They are established by the U.S. Postal Service for mail delivery. In many cases a zip code may cover areas in more than one county." For instance, 10466 is primarily a Bronx ZIP Code, but it also appears in part of Westchester County. Albany County, NY (county) Zip Code(s): 12007 12009 12023 12041 12046 12047 12053 12054 12055 12059 12067 12077 12083 12084 12110 12120 12122 12143 12147 12158 12159 12183 12186 12189 12193 12202 12203 12204 12205 12206 12207 12208 12209 12210 12211 12303 12304 12309 12469 Allegany County, NY (county) Zip Code(s): 14060 14065 14536 14708 14709 14711 14714 14715 14717 14721 14727 14735 14739 14744 14754 14777 14802 14803 14804 14806 14807 14813 14822 14836 14846 14880 14884 14895 14897 Bronx County, NY (county) Zip Code(s): 10034 10039 10451 10452 10453 1
Read more

Starting a Mobile Food Concession Business? Be Sure to Follow the Rules of the Road

By -
Want to take your restaurant on the road? Interested in starting a food-service business that affords lower overhead costs than a bricks and mortar restaurant? Starting a mobile food concession business has its advantages – the rent is cheaper, staff overhead is lower, and you can move to follow the profits. But it also has its challenges – weather, vehicle breakdowns, and seasonality, to name a few. And don’t forget, starting a business or expanding into new markets, particularly with on-board food, means you’ll also have to heed laws and regulations that apply when you take your business to the streets. Here’s what you need to know about operating your concession business within the law: 1. Apply for Licenses and Permits Any business needs a license or permit to operate legally, but going mobile requires you to get permits for all the cities and counties where you operate, not just your static business address (which may be your main place of business or your home-based HQ).
Read more

Beware credit counseling services like Clear Your Debt LLC

By -
An advisor at one of our regional centers asked me to share some information he learned while working with a client last week. During the course of the counseling session, the client revealed she had signed up with a credit counseling service, Clear Your Debt LLC, from Austin, TX. The advisor was concerned when he read the contract the client signed, which prompted him to investigate the company. The Better Business Bureau in Austin told the advisor they had received numerous complaints against Clear Your Debt LLC. Though Clear Your Debt promised financing, counseling and other assistance, the advisor’s conclusion - after reading their confusing contract and talking to the BBB - was that the client would pay $15,000 for basically nothing. At that point, the advisor encouraged the client to return the contract she signed and cancel the agreement (this was within 3 days of the client signing the agreement). The advisor called me and asked that I share the information with other SBDC advi
Read more