Cyber Incident Victim: The Urban Institute
Date:
Jan 2015
Location:
United States of America
Summary
A prominent Washington, D.C. think tank experienced a cybersecurity breach compromising usernames, passwords, IP addresses, and account data for nonprofit organizations using its tax filing systems. The incident affected between 600,000 and 700,000 organizations, exposing 740,000 associated email addresses but no tax filings, Social Security numbers, or credit card information. Attackers accessed both the e-Postcard system for smaller nonprofits and the Form 990 system for larger organizations. The breach was detected through suspicious system activity, prompting password resets for all users and collaboration with law enforcement and a cybersecurity firm. While officials didn't attribute responsibility, the incident aligns with patterns of cyber surveillance targeting policy organizations for insights into U.S. operations and sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Urban Institute, a prominent Washington, D.C. think tank, detected suspicious activity in its systems on January 7, 2015, initiating an investigation that revealed a multi-stage breach of its National Center for Charitable Statistics (NCCS) tax filing platforms. By January 23, investigators confirmed unauthorized access to the e-Postcard system used by nonprofits with annual receipts under $50,000, prompting immediate password resets for affected users starting January 24. The full scope emerged on February 4 when forensic analysis showed compromise of both the e-Postcard system and the Form 990 filing system for larger nonprofits exceeding $50,000 in annual receipts. Attackers exfiltrated usernames, passwords, IP addresses, and organizational account data, but did not access actual tax filings, Social Security numbers, or credit card information according to the Institute's assessment. The breach impacted between 600,000 and 700,000 nonprofit organizations, with 740,000 associated email addresses exposed. Urban Institute officials maintained contact with the IRS throughout the incident due to their longstanding partnership on nonprofit tax administration dating to the late 1990s.
On February 24, 2015, the Institute formally notified over one million nonprofit users of the breach through a message from Center on Nonprofits and Philanthropy director Elizabeth Boris, who apologized for the disruption while emphasizing their commitment to data security. The organization engaged law enforcement agencies, retained an unnamed cybersecurity firm for forensic analysis, and implemented system hardening measures following the attack discovery. Though officials declined to attribute responsibility or disclose intrusion methods citing the ongoing investigation, the breach pattern aligned with known targeting of D.C. think tanks by foreign state-sponsored actors seeking policy insights or sensitive data. The NCCS temporarily maintained operations during remediation, requiring all users across both compromised filing systems to reset credentials as investigators worked to determine whether attackers leveraged stolen data between initial access (January 7) and containment actions. No subsequent misuse of compromised information was publicly confirmed at the time of reporting.