Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll have that awful jingle stuck in your head all day.
The New Jersey-based charity has plagued the American airwaves for years with the “most hated” jingle to try to get consumers to trade in their car — for the kids! In return, you get to write-off the donation from your taxes, and you’re given a “holiday voucher” to sweeten the deal.
But a security lapse left thousands of those donation records exposed for anyone to find.
Bob Diachenko, Hacken.io’s director of cyber risk research, earlier this month found the company’s MongoDB database on a server, wide open and without a password.
The server contained 21,612 records and climbing — representing weeks’ worth of data, Diachenko told TechCrunch, prior to blogging his findings. The data included donor email addresses and donation receipts, which included customized links to a donor’s tax receipt. He also found credentials, which he said could have allowed a hacker to access far more sensitive data.
Diachenko said that Kars4Kids had told him that customers had been informed, but TechCrunch has found no evidence of the company’s claim.
Kars4Kids spokesperson Wendy Kirwan acknowledged the breach in an email Tuesday, adding that its “legal team advised that we are not, according to state law, obligated to inform the NJ Attorney General about the breach.”
It isn’t known how long the database was exposed, but Dianchenko said he wasn’t the first to discover the database. A note left in the database by a hacker claimed to have “downloaded and backed up;” the hacker demanded bitcoin in exchange for the data’s safe return.
The breach represents a portion — though not all — of the cars that Kars4Kids receives annually — reportedly tens of thousands each year. The nonprofit has been criticized over the handling of its finances, and currently has a “moderate concern” rating from independent evaluator Charity Navigator.