Questions about the AAMFT Member Database and Email
Is AAMFT making too much of too little?
Those speaking on behalf of the Call for Change claim that no actions in the use of AAMFT’s member systems and data were wrong in any way. One public statement made by the group has been, “only email addresses were taken.” Another, in the Psychotherapy Networker, suggested that there was merely “inappropriate use of the membership listserve.”
WHY IT MATTERS:
SUFFICIENT DATA WAS TAKEN FROM AAMFT’S SERVERS SO THAT ANYONE WITH ACCESS TO IT COULD CREATE A PHISHING SCHEME. FAKE DUES BILLS COULD BE SENT TO ALL AAMFT MEMBERS VIA EMAIL. SUFFICIENT INFORMATION COULD BE PLACED ON THE INVOICE SUCH THAT MEMBERS WOULD HAVE NO WAY OF KNOWING THAT THE BILL WAS FRAUDULENT AND FUNDS OR CREDIT CARD INFORMATION THEY PROVIDED WOULD BE IN THE HANDS OF SOMEONE OTHER THAN AAMFT.
WHAT HAPPENED: THE FACTS
AAMFT’s Membership Database is not accessible to any member who wishes to access the raw files and data. It is placed in a protected environment on our servers.
Division Leaders have access, through a secure access given only to them (and not to general members), to access member information for the divisions, to use for division business.
Policies regarding the appropriate uses and restrictions regarding this data are well publicized, in the Division Leaders Training, in the Division leaders website, and through formal policy statements. The policy that has been in place since 2004 can be reviewed here: Division Email Blast Policy. This policy is clear that division leaders are to access data for their own divisions only, and to use emails for their own divisions only.
On June 3, 2009, in a period of 34 minutes, a division leader accessed and downloaded the data files for all 53 AAMFT divisions. The files for each division had to be accessed individually. Information was gathered for over 20,000 AAMFT members.
The information that was accessed included member names, address, email, work/home/fax numbers, member type and class, billing flags, join date, paid through, billed through, amount billed, amount paid, date billed, last paid, offer date, and other business tags for AAMFT. Again, this amount and level of data was not inconsequential, and could easily be used for nefarious purposes.
AAMFT was unaware that the member data had been taken until it was used in an unsolicited bulk email (UBE) sent to the entire AAMFT membership, over two days, July 24 and 25, 2009. At that time, the organization began to take steps to try to have the data files returned, secured, and/or destroyed.
EXPECTATIONS FOR RECOVERY
To protect AAMFT members, the Association asked those individuals who were active in taking and using member data:
- To cease and desist from any further use or dissemination of the data.
- To return any and all copies of AAMFT member information, whether in electronic, paper, or other forms of media.
- To cooperate in the recovery of the data by informing AAMFT of the identity of all parties to whom the data was transferred.
- To provide a list, to the best of one’s knowledge, of all the instances where the data has been used to date.
AAMFT also asked those individuals involved for a sworn affidavit to the effect that all these steps had been taken, information provided was true, and that no further use of the data would be made.
To date, no individual involved has provided the requested sworn statement.