DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Children’s charity Kars4Kids leaks info on 21,000 donors

Posted on November 13, 2018 by Dissent

Bob Diachenko of HackenProof.com reports:

Kars4Kids is a charity that asks people to donate their cars, motorcycles, RVs, and real estate. They are most known for their nationwide advertising using their hypnotic theme song where a child and a Johny Cash impersonator sing the phone number and invites people to donate their cars today.

On the 3rd of November, Bob Diachenko, Director of Cyber Risk Research at Hacken has found what appeared to be a publicly accessible MongoDB. Upon further investigation, the data seemed to contain the emails and personal data of 21,612 Kars4Kids donors/customers and super administrator login and password details.

Read more on HackenProof.  Zack Whittaker of TechCrunch also reports on the leak that also involved a hack.

But note the problems Bob had with making notification to the charity. It is the same frustrating situation that I have encountered – and reported upon – numerous times. Bob writes:

On the 3rd of November, a notification email was sent to multiple email addresses with no reply and the database remained open until the evening of November 5th. It took 3 hours by phone to reach someone despite telling the volunteers who answer the phones that this is a serious issue and we need to speak with someone in the IT Technology department or senior management. On one occasion the call was forwarded to someone in Israel who could not give me names, contacts, or emails of anyone who could secure the data and told me to call the same main number again.

We understand that it is a common practice to create a buffer zone between the public and senior managers or leadership. However, the most shocking thing was that an organization or company would not have a data breach or crisis action plan for when a report is made. During the notification process, we told anyone who would listen what happened, how important it is and that we must speak with someone to help secure this data urgently. The issue here is that every organization must understand the value of the information they store and collect. They must take every possible step to secure and protect that data. This includes training everyone to be on the same page and enact a data breach protocol for when the worst happens.

To my knowledge, the FTC has only taken enforcement action once for failure to have an incident response plan in place that enabled people to quickly report leaks or breaches. The FTC does not have authority under Section 5 to go after a not-for-profit, so who would do anything about this incident?  Would a state attorney general’s office go after a charity that is oriented to helping kids? It might make for bad PR for the office.

Anyway, if anyone received a notification from Kars4Kids, please send a copy along to DataBreaches.net. I’d like to see what they told those affected.

No related posts.

Category: ExposureHackMiscellaneousU.S.

Post navigation

← WordPress GDPR plugin inadvertently exposed sites to hackers
Do you login to merchant sites using your FB or Google credentials? The Annex Cloud breach may have affected you. →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.