Member Information Vulnerability Update
Security Update and Notice of Risk
What Happened?
At 14:57pdt Saturday September 12th, 2020 it came to our attention that there was a security vulnerability that
potentially led to the exposure of partial excerpts of our member roster. The information was logged in .txt files on
the SRA web server and accessible via simple URL. These URLs were not linked, published, nor communicated in any way
and our access logs do not show that the information was ever accessed except by our newly hired professional web
developer, but the access logs may be incomplete. The information stored in these files included:
- 865 member names and corresponding member numbers
- 2,130 member email addresses
- 110 expired Stripe tokens
Upon discovery, these files and pages were removed from the web server by our web developer. No payment or location
data was stored in these files and all Stripe tokens expire after one use, therefore it is, and always has been,
impossible to retrieve payment information from these tokens.
How Did This Happen?
This architecture was a result of negligent web design and server hygiene. Our staff was unable to provide the level of security needed for an organization such as ours. We assume full responsibility for the poor architecture which we subjected our comrades to and commit to a future of safety and accountability to and for our members.
What Is Being Done?
As previously stated we now have a dedicated professional web developer on staff and will be contracting with
penetration testers to ensure our data security meets the needs and expectations of our members. We have moved all of
our membership management to a professional third party platform to help avoid situations like this in the future. We
have decided to completely rebuild the website and we will be emailing affected email addresses today; if you do not
receive an email your data was not affected.