Turns out TurboTax isn’t the only tax-filing service to run into cybersecurity troubles of late. The Urban Institute’s National Center for Charitable Statistics (NCCS) discovered this week that one or more hackers had gained unauthorized access to its Form 990 Online and e-Postcard filing systems for nonprofit organizations.

An estimated 600,000 to 700,000 nonprofits use the service and were affected by the breach, according to an Urban Institute official who spoke to The Hill this week.

Information that was compromised included email addresses, usernames, passwords, first and last names, IP addresses, phone numbers, and addresses and names of the nonprofits that use the NCCS filing service. According to a statement on the Urban Institute’s website, the incident affects users who have filed with the online versions of Forms 990, 990-EZ, and 990-N, as well as Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

No Social Security numbers, credit or debit card numbers, or other sensitive information was stolen, the group said. That information is stored on separate systems and was not accessible to the hackers.

“Once we discovered the attack, we contacted IRS and made every effort to secure the systems and user accounts. We are working with law enforcement agencies as they conduct an investigation,” Elizabeth Boris, director of the Center on Nonprofits and Philanthropy at the Urban Institute, said in a statement to users posted on Nonprofit Quarterly. “In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security.”

Part of a Pattern?

According to The Hill, the Urban Institute is not the first D.C.-based think tank to be targeted. The Center for Strategic and International Studies, the Heritage Foundation, and the American Enterprise Institute have all acknowledged being hacked in the past several years.

The report noted that Chinese state-sponsored hackers, particularly from the hacker collective known as “Deep Panda,” are believed to be responsible for at least some of those attacks.

Officials at the Urban Institute told The Hill that they first noticed suspicious activity in early January but weren’t able to determine the extent of the breach until several weeks later. By the first week of February, the group’s internal investigation uncovered full scope of the hack and immediately contacted the IRS.

“We sincerely apologize for this disruption and any inconvenience this incident may cause you,” Boris said in the statement. “We have a strong commitment to privacy and data security, and we are continuing to do everything we can to protect against future attacks.”

(iStock/Thinkstock)