At 14:57pdt Saturday September 12th, 2020 it came to our attention that there was a security vulnerability that potentially led to the exposure of partial excerpts of our member roster. The information was logged in .txt files on the SRA web server and accessible via simple URL. These URLs were not linked, published, nor communicated in any way and our access logs do not show that the information was ever accessed except by our newly hired professional web developer, but the access logs may be incomplete. The information stored in these files included:
- 865 member names and corresponding member numbers
- 2,130 member email addresses
- 110 expired Stripe tokens
Upon discovery, these files and pages were removed from the web server by our web developer. No payment or location data was stored in these files and all Stripe tokens expire after one use, therefore it is, and always has been, impossible to retrieve payment information from these tokens.
This architecture was a result of negligent web design and server hygiene by our previous web developer and co-founder JL Hamilton who recently lost his battle with brain cancer. JL was a committed, albeit over eager founding organizer of the SRA. JL may have overestimated his abilities as a web developer but always had nothing but the highest respect and concern for the safety of our comrades and their data. That being said, our staff was unable to provide the level of security needed for an organization such as ours. We assume full responsibility for the poor architecture which we subjected our comrades to and commit to a future of safety and accountability to and for our members.
As previously stated we now have a dedicated professional web developer on staff and will be contracting with penetration testers to ensure our data security meets the needs and expectations of our members. We have moved all of our membership management to a professional third party platform to help avoid situations like this in the future. We have decided to completely rebuild the website and we will be emailing affected email addresses today; if you do not receive an email your data was not affected.