Nonprofit Data Breach Vulnerabilities and How to Avoid Them
By Mike Lee, CIPM, Alexandre Chanoine, J.D. and Derrick King
As more people are shifting to digital lifestyles and remote operations, data is being passed through the internet now more than ever. Proportionate to this, however, are the opportunities for potential compromise of the data, particularly via a data breach. Data breaches are the unauthorized access or disclosure of data for other than authorized and intended purposes. Nonprofit organizations, regardless of size, can be susceptible to a data breach as most accept and facilitate donations, which typically require the collection, processing, and maintenance of financial information. According to the Association of Certified Fraud Examiners 2020 Global Study, nonprofit organizations may be especially vulnerable compared to their for-profit counterparts as resources for privacy/security infrastructure are oftentimes harder to allocate. In recent years, cybercriminals have sought to harvest data for their own gain, targeting nonprofit donor and even employee data systems.
Common Causes of Data Breaches
Data breaches can transpire and come in various forms. Per The NonProfit Times, about 75% of data breaches originate from outside the organization via malicious hackers and phishing activities, while approximately 25% stem from internal sources. The following are some of the most common causes of breaches:
- Lack of organizational privacy/security infrastructure, which incidentally is the part an organization can control. Privacy practices and controls (whether administrative or technical) may not appear as a high return on investment, but they can and will eventually be a good use of organizational resources. Do not let this be an afterthought.
- Human error or negligence – everyone has an “oops” moment, whether it’s accidentally sending an email to an unintended recipient, attaching the wrong file or falling for a phishing attack. These are common honest mistakes absent malicious intent and can be remediated through mandatory privacy trainings, privacy awareness campaigns or administrative announcements reminding employees to secure the data they process.
- Ransomware and phishing attacks can and have been extremely damaging to organizations and individuals. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid to the actor. Phishing is the fraudulent act of sending emails posing to be from a reputable company in order to trick individuals into providing their personal data, such as passwords or credit card information. When in doubt, if something doesn’t appear to be for legitimate purposes or from a legitimate source, defer to your IT and privacy/security personnel.
- E-commerce hacks can occur if your organization uses an online store as a fundraising tool. Given the volume of payment information collected and stored, this opens up donors’ personal data to compromise if not adequately secured.
- Despite the move to digital platforms and mediums, stolen hardware and/or physical files can still be compromised. It may be a laptop left in the backseat of a car that was just broken into or data that was physically mailed out without a tracking mechanism and can’t be located. Users should always be cognizant of the data they process and maintain—especially outside of their normal work environment.
Recent Nonprofit Data Breaches
Nonprofit organizations have incurred significant breaches in recent years, both in terms of volume of records compromised, as well financial losses. The following are several examples—each by an external party—with varying results that may be surprising.
- In May 2019, a New York-based social services agency, suffered a breach of upwards of 1,000 of its clients’ personal data when two of their employees’ email accounts were hacked. Per the organization’s official notice of the incident, the personal data breached may have included full names, addresses, Social Security numbers, financial account information, medical information, health insurance information and/or driver’s license or other government identification numbers. Following initial detection and reporting of the breach, the agency reset the passwords for the hacked accounts.
- A Connecticut-based charity fell victim to a nearly $1 million cyberscam in May of 2017. Hackers were able to use the email account of a U.S. employee to create false invoices and other documents to trick the organization into sending nearly $1 million to a fraudulent entity in Japan. Unfortunately, by the time the breach was detected, the transfer had already cleared. However, the organization was able to recoup all but $112,000 via its insurance policy.
- A Charleston, S.C. cloud-based fundraising vendor for nonprofits and educational institutions, incurred a ransomware attack in early 2020 before it was detected in May of the same year. You know how they say, “Never pay the ransom?” The vendor paid the ransom. However, before receiving confirmation that the data had been destroyed, the attackers copied personal data from approximately 6 million clients—including donors, potential donors, patients and other stakeholders. Among the heavily impacted clients were Inova Health, Saint Luke’s Foundation and MultiCare Foundation.
Best Practices to Prevent Data Breaches
Past data breaches suffered by nonprofit organizations provide us with lessons learned, which can then be leveraged into best practices. Consider the following to bolster your organization’s privacy/security framework and minimize exposure to risks:
- Leverage external resources to identify and cover any privacy/security gaps. Perform a risk assessment to take inventory of what personal data is collected, used and managed to determine the risks associated with possessing the data. Purchasing cyber liability insurance can also help with providing comprehensive risk management insurance, and mitigate the financial impacts of a data breach. (See Mark Millard’s article on page 15 for more information.)
- Fortify your donation platform’s security. Work with IT, as well as any vendors to comply with applicable privacy/security regulations and standards, such as Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR). These are particularly relevant given the high utilization of credit card information.
- Regularly review and actively manage users’ access permissions. Monitor and update role-based access for users who have access to data throughout business operations to ensure they only use what they need proportionate to their respective roles. This will also help mitigate the disgruntled former employee breach scenario.
- Implement data minimization controls, only collecting and processing what information is needed for authorized and legitimate business purposes. Similarly, implement and adhere to a data retention policy, only retaining what is necessary to accomplish the objectives and properly disposing of data when it is no longer needed.
- Ensure older and sunsetting technologies have been wiped of personal data prior to getting rid of them. Storing data in multiple locations and mediums helps mitigate hardware failure, but they still need to be accounted for prior to retirement.
- Report breaches, as soon as they are detected. While the point is to mitigate the risks if a breach occurs, the reality is that they are almost unavoidable. It is important to have dedicated incident/breach response policies and procedures, including tabletop activities to prepare for the inevitable breach. (A tabletop activity is a security incident preparedness activity, taking participants through the process of dealing with a simulated incident scenario and providing hands-on training highlighting flaws in incident response planning.)
Conclusion
Data breaches — the causes, impacts and consequences — can be devastating to an organization. As such, it is imperative to be prepared for what is unforeseen but nonetheless predictable. While this may seem daunting, particularly for smaller nonprofits, it should be emphasized that some of the most basic data privacy/security best practices and controls are easy to implement at little to no cost. Overall, the biggest step to be taken in protecting your organization and stakeholders is to make privacy/security a priority. Even without in-house resources, nonprofits can benefit from leveraging external ones to help augment policies and procedures. Preparing for this upfront will save a lot of trouble if a breach occurs.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Spring 2021). Copyright © 2021 BDO USA, LLP. All rights reserved. www.bdo.com