What Charities & Nonprofits Need To Know About Data Breaches

Media Division | May 28, 2015

The words ‘data breach’ are usually associated with hacks at large-scale retailers such as Target and Home Depot. But did you know that charities and nonprofits are susceptible to the same level of threat? Most of such organizations manage troves of personally identifiable information (PII), which is information pertaining to their employees, volunteers, donors and members. This information includes phone numbers, email addresses, volunteer preferences, mail addresses, and names.

While many nonprofit organizations implement security programs to protect this valuable information, many lack the resources to protect themselves from data breaches. Vulnerable organizations can suffer from attacks in different forms, including the following:

  • Infected servers
  • Hacked emails
  • Spyware or malware injections
  • Stolen identities and social security numbers
  • Cyber extortion

The types of cyber attacks highlight the vulnerability of charities as well as the challenges faced by nonprofits to defend against a wide range of threats.

Recent examples

CareFirst is a recent example of a nonprofit that suffered a sophisticated data breach attack. Hackers managed to infiltrate a database consisting of member birth dates, email addresses, names, and other sensitive information.

Another example comes from last year when ICO (Information Commissioner’s Office) in the UK imposed a £200,000 on BPAS (British Pregnancy Advice Service) for exposing personal details of thousands to a malicious cyber criminal. The investigation highlighted that the victim’s websites were vulnerable to attacks, and the charitable organization didn’t realize that the website wasn’t’ sufficiently kept secure.

People Plus, a nonprofit based in Brunswick, Maine, suffered a data breach because of security vulnerabilities which saw the database of a portion of its members posted on its website, including details of how much was contributed by each member along with their spouse name, telephone number, address, birthday, and emergency contact detail. The database even had buttons to download the information via a spreadsheet and was later available in cached versions after being taken down.

Authorities are unlikely to forgo fines and other penalties when nonprofits aren’t able to secure information as sensitive as this. As a result, there is a need to ensure sensitive member/customer information they are responsible for is kept secure from all ends.

What nonprofits need to do?

For the above-mentioned reasons and instances, nonprofits need to be as vigilant for data breach threats as for-profit companies are, if not more so. The key is to access and eliminate weaknesses in security systems, review policies and protocols, educate employees and access them for malicious insider threats, and update network detection systems.

But these are only the basic steps to protect the information of your volunteers, donors, etc. To provide ample security, you need to prepare yourself for the worst. Doing so will minimize the likelihood of data breaches by bolstering the security of your endpoints, as well as ensure you’re complying with applicable state and national data breach laws.

Massive’s threat intelligence feeds can analyze countless variables on systems that are vulnerable to different malware forms. By extracting different data structures, the data streams are intercepted for threat notification. So if you as a nonprofit are concerned about being a target of a silent data breach attack then Massive can assist you in learning about vulnerabilities by making you see your data through the threat actor’s eyes.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.