DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Children’s charity Kars4Kids leaks info on 21,000 donors

Posted on November 13, 2018 by Dissent

Bob Diachenko of HackenProof.com reports:

Kars4Kids is a charity that asks people to donate their cars, motorcycles, RVs, and real estate. They are most known for their nationwide advertising using their hypnotic theme song where a child and a Johny Cash impersonator sing the phone number and invites people to donate their cars today.

On the 3rd of November, Bob Diachenko, Director of Cyber Risk Research at Hacken has found what appeared to be a publicly accessible MongoDB. Upon further investigation, the data seemed to contain the emails and personal data of 21,612 Kars4Kids donors/customers and super administrator login and password details.

Read more on HackenProof.  Zack Whittaker of TechCrunch also reports on the leak that also involved a hack.

But note the problems Bob had with making notification to the charity. It is the same frustrating situation that I have encountered – and reported upon – numerous times. Bob writes:

On the 3rd of November, a notification email was sent to multiple email addresses with no reply and the database remained open until the evening of November 5th. It took 3 hours by phone to reach someone despite telling the volunteers who answer the phones that this is a serious issue and we need to speak with someone in the IT Technology department or senior management. On one occasion the call was forwarded to someone in Israel who could not give me names, contacts, or emails of anyone who could secure the data and told me to call the same main number again.

We understand that it is a common practice to create a buffer zone between the public and senior managers or leadership. However, the most shocking thing was that an organization or company would not have a data breach or crisis action plan for when a report is made. During the notification process, we told anyone who would listen what happened, how important it is and that we must speak with someone to help secure this data urgently. The issue here is that every organization must understand the value of the information they store and collect. They must take every possible step to secure and protect that data. This includes training everyone to be on the same page and enact a data breach protocol for when the worst happens.

To my knowledge, the FTC has only taken enforcement action once for failure to have an incident response plan in place that enabled people to quickly report leaks or breaches. The FTC does not have authority under Section 5 to go after a not-for-profit, so who would do anything about this incident?  Would a state attorney general’s office go after a charity that is oriented to helping kids? It might make for bad PR for the office.

Anyway, if anyone received a notification from Kars4Kids, please send a copy along to DataBreaches.net. I’d like to see what they told those affected.

Category: ExposureHackMiscellaneousU.S.

Post navigation

← WordPress GDPR plugin inadvertently exposed sites to hackers
Do you login to merchant sites using your FB or Google credentials? The Annex Cloud breach may have affected you. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.