Prominent DC think tank hacked

The TurboTax of the nonprofit world has been hacked. 

The Urban Institute, a prominent think tank in Washington, D.C., alerted charitable organizations around the country Tuesday that its system for filing tax forms was breached. 

ADVERTISEMENT
Hackers were able to access usernames, passwords, IP addresses and other account data for nonprofits that use the Urban Institute's National Center for Charitable Statistics (NCCS) to file their taxes. 

"We sincerely apologize for this disruption and any inconvenience this incident may cause you," Elizabeth Boris, director of the Institute's Center on Nonprofits and Philanthropy, wrote in a message to groups on Tuesday. 

"We have a strong commitment to privacy and data security, and we are continuing to do everything we can to protect against future attacks. Our investigation is ongoing, and we will let you know if it reveals new information that is relevant to your account." The Center on Nonprofits and Philanthropy houses the NCCS. 

An official with the Urban Institute estimated that between 600,000 and 700,000 organizations were affected by the breach. At this point, there is apparently no evidence that tax filings themselves were compromised. There were also no Social Security numbers or credit card information in the system, the official said. 

Hackers repeatedly target D.C. think tanks. Security analysts say there is virtually no major organization or agency in the city that has not faced a breach or hacking attempt of one kind or another, though almost none will confirm the details. 

Chinese state-sponsored hackers are believed to be at fault in some cases. The hacker collective known as "Deep Panda," which may have been responsible for the recent attack on Anthem, launched a series of attacks targeting Middle East experts at think tanks around Washington in 2014. 

The Center for Strategic and International Studies, the Heritage Foundation and the American Enterprise Institute have publicly acknowledged being hacked. Foreign policy experts joining the Obama administration in 2009 also came under assault from hackers, according to reports. 

U.S. security think tanks and foreign policy experts are seen as valuable targets for cyber surveillance. 

China and other countries are constantly struggling for private insight into how Washington works, whether that means accessing sensitive documents about U.S. policy and strategy or building profiles of powerful individuals and opinion-makers.

The attack on the Urban Institute could be part of this pattern, or it could be a different kind of hack aimed at gathering the sensitive tax information that passes through the organization. Urban Institute officials would not share details, citing the ongoing investigation. 

The group first alerted the million-plus nonprofits that use its systems to the breach on Tuesday. It was the first time the group publicly acknowledged being hacked. 

Officials said the Institute first noticed suspicious activity in its systems on Jan. 7, but did not know what had been compromised at that point. 

Later, on Jan. 23, the Institute confirmed that hackers had accessed accounts within the e-Postcard filing system, which serves nonprofits with gross annual receipts of $50,000 or less. Starting the next day, users were prompted to change their passwords when they accessed the site. 

Finally, on Feb. 4, the Institute's investigation revealed the full scope of intruders' access. 

Hackers broke into the e-Postcard system as well as the Form 990 system, which serves organizations with gross receipts of more than $50,000 annually. Those users were also prompted to change their passwords. 

A total of 740,000 email addresses were tied to the compromised accounts, an official said. 

The Institute did not disclose who it believes was behind the attack, or how the breach took place. An official also declined to name the security firm that is investigating the attack. 

"Once we discovered the attack, we contacted IRS and made every effort to secure the systems and user accounts," Boris wrote Tuesday. 

"We are working with law enforcement agencies as they conduct an investigation. In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security."

The Urban Institute has worked with the Internal Revenue Service on nonprofit tax filings since the late 1990s, according to an official with the group. 

The Center on Nonprofits and Philanthropy and the NCCS are considered leading sources of data and expertise on the world of U.S. nonprofit groups. 

—This story was last updated at 3:09 p.m.