It's a nasty world out there. How can you protect yourself? It's not easy! Many Internet users are given a false sense of security by the "https" protocol also known as Secure Socket Layer (SSL). This protocol is intended to encrypt your communications as they travel through the Internet. Remember that SSL does not secure either ends of the communication. In other words, there could be spyware on your computer capturing your information before it gets encrypted for transmission or, similarly, the web site you are accessing could have been compromised and your information is being stolen once it gets there.

Hang on, it gets worse! Many companies implement proxy servers that will cache (save) web pages as a way to optimize bandwidth. This means that when you go to the same web page again, your company's proxy server will give you the page from its cache (saved area) instead of getting it again from the web site. This improves speed a lot and makes better use of your Internet bandwidth. What's bad about that? Well, some companies will also decrypt your SSL communications and cache your web pages un-encrypted! Companies and specifically schools, use proxy servers to inspect and filter web content. Hackers love proxy servers because they can steel everyone's banking information right from the proxy cache instead of having to attack each person's workstation.

Another common issue is that poorly configured caching proxies can actually not respect http sessions. What that means is that when you access your account information web page it can be cached on your company's proxy server. Another employee could then access their own account information web page but the proxy could give the other employee your information from the cache instead!

Companies may not notice this configuration issue until they run an employee giving campaign. This is because different employees don't usually access the same bank at nearly the same time. Note that the proxy cache will usually get cleared over a period of time so if one employee accesses their bank and then another employee accesses the same bank page much later that day, the web page may have been cleared from the cache and therefore the second employee will get their web page from the bank's server (as it should). When you're running an online employee giving campaign, and the proxy server is poorly configured, the number of employees accessing the same web page at nearly the same time makes it very likely that one person's web page be viewed by others.

You could configure your IIS (web server) to request no-cache but this is only a request. Again, poorly configured proxy servers could ignore this.

How can you tell if this is the case? If your donor company reports that they are seeing another donor's information then you should inquire on whether the other person is within their own company. If the company is using a proxy, it is very likely that it is poorly configured and not respecting http sessions. If the issue was with your servers, different companies would see each other's web pages too. The fact that it is isolated to employees of the same company implies that the issue is with that company's proxy server.

References

Wikipedia
About https proxies or here
About caching
About SSL proxy cache
About SSL over proxy (section 3.2)
About SSL splitting