Urban Institute Hacked, Alerts Customers to Change Passwords

News: The Urban Institute has alerted non-profit groups around the country about a tax-related security breach.

On 24 February 2015, the Urban Institute warned more than one million charitable organizations in the United States about a security breach that provided hackers with access to sensitive information about those groups:


The Urban Institute’s National Center for Charitable Statistics (NCCS) recently discovered that an unauthorized party or parties have accessed the Form 990 Online and e-Postcard filing systems for nonprofit organizations. This unauthorized access affected nonprofit users of IRS Forms 990, 990-EZ, and 990-N (e-Postcard). In addition, it affected users of Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

We regret to inform you that the username, first and last name, email address, IP address, phone number, and password associated with your nonprofit organization were compromised in this incident.


Elizabeth Boris, director of the Urban Institute’s Center on Nonprofits and Philanthropy, said that while hackers were able to access usernames, passwords, IP addresses and other sensitive information, the compromised forms filed with the Urban Institute’s National Center for Charitable Statistics (NCCS) did not include Social Security numbers or credit card information:


Currently we believe no information from the filings themselves was compromised. These forms do not contain Social Security numbers, credit card data, or individual tax filer information, so such sensitive information was not available to the hackers. Copies of the 990 returns, including the e-Postcard, are public documents that are released by the IRS.

The Urban Institute said that hackers had accessed accounts in both the e-Postcard and the Form 990 tax filing systems. While it’s unclear exactly how many organizations may have been affected by the security breach, officials estimated that the number could be as high as 700,000.

The Urban Institute does not know who was behind the attack. Boris said that the IRS had been alerted about the security breach, and she urged customers to change the passwords associated with their accounts:


To enhance security, all users accessing the Form 990 Online and e-Postcard systems are required to change their passwords upon logging in, or were when they logged in most recently. We encourage you to be alert for unusual or suspicious emails and use caution when clicking on links or opening attachments from unknown senders.

We sincerely apologize for this disruption and any inconvenience this incident may cause you. We have a strong commitment to privacy and data security, and we are continuing to do everything we can to protect against future attacks. Our investigation is ongoing, and we will let you know if it reveals new information that is relevant to your account.


Last updated: 24 February 2015