Nature Conservancy Says Spyware Compromised Employee Data

By Joe Stephens
Washington Post Staff Writer
Friday, October 5, 2007

A human resources employee at the Nature Conservancy in Arlington used his laptop last month to visit a sports Web site. A short time later, computer technicians at the world's largest environmental organization noticed a torrent of data flowing out of its computer network.

The bad news arrived in the in-boxes of Conservancy staff members a week later: The employee had inadvertently downloaded a spyware program from the Web site, which allowed the software to seize personal and financial information about thousands of Conservancy employees from his hard drive. The rogue program moved the information through a sophisticated network of servers in a number of countries, cloaking the final destination.

Officials say 14,000 people are in danger of having their identities stolen. The hijacked data includes names, home addresses, Social Security numbers, payroll direct-deposit account numbers, bank routing numbers, and benefits and beneficiary information. Those affected include employees, former employees and dependents of employees who worked for the Conservancy between 2000 and Aug. 3 of this year.

"As soon as we knew, we contacted the FBI and got a note out to staff," said Conservancy spokesman Jim Petterson. "We're doing a review of all our security practices, and trying to educate staff about best practices for the Internet. . . . Don't always click that 'yes' button so fast." Conservancy officials said they have seen no misuse of the data.

The Sept. 12 incident was another in a string of security breaches at corporations and government agencies. In March, the discount retail chain TJX disclosed that hackers had stolen at least 45 million of its customers' credit and debit card numbers. TJX operates 2,500 stores, including clothing chains T.J. Maxx and Marshalls.

The latest disclosure comes at an unsettled time for the Conservancy. On Monday, Conservancy President Steven J. McCormick sent an e-mail to each of the organization's 3,500 current employees, announcing his resignation after seven years in his post, but giving no hint of his plans. Petterson said there was no connection between McCormick's resignation and the data breach.

In a Sept. 25 e-mail to Conservancy staff members, chief administrative officer Stephen Howell said, "I want to reiterate that this is a serious issue." He offered every affected adult a year of free credit monitoring.

© 2007 The Washington Post Company