Donors’ Data Breached But On Smaller Scales

December 9, 2014       Mark Hrywna      

The first thing that might come to mind when you hear the words data breach is the recent hacks of large corporations such as Home Depot, Chase and Target that possibly exposed millions of usernames, passwords and other records. Hacking a nonprofit isn’t likely to breach 76 million records as is estimated with Chase or yield a bounty of credit card information, but who knows the motivation of some people?

There have been at least 1 billion records exposed from less than 5,000 breaches since 2005, according to Privacy Rights Clearinghouse (PRC), a San Diego, Calif., organization that keeps a chronological log of data breaches made public. Records might not necessarily be the number of individuals affected, as some individuals could be victims of more than one breach.

When it comes to nonprofits specifically, PRC has recorded more than 100 breaches since 2005, involving more than 2 million records. Of those, more than 32 breaches involving at least 250,000 records were the result of hacking or malware. Most were at educational or healthcare institutions.

This year is on pace to surpass the record set in 2013 for the most exposed records overall, according to Jake Kouns, chief information security officer for Risk Based Security in Richmond, Va., and founder of the Open Security Foundation (OSF). There have been 1,331 breaches exposing 502 million records lost through the first half of this year, on pace to break last year’s record amounts of 814 million records exposed from 1,950 breaches.

A breach is an unauthorized access of data. It doesn’t necessarily mean that something was stolen or that bank accounts were accessed.

Many of the high-profile breaches are incidents of hacking, but what’s happening in other sectors depends on the industry, Kouns said. In the medical field, it’s more about lost laptops, he said, while for a lot of nonprofits, it’s snooping — employees who have legitimate access but unauthorized use.

That’s not to say that some charities are not the target of hackers. The L.A. Gay & Lesbian Center last year was the victim of what it described as a “sophisticated cyber-attack” designed to collected credit card, Social Security numbers and other financial information. In a statement in December 2013, the center said there was no evidence that anyone’s information was actually accessed or acquired. But approximately 59,000 clients and former clients were notified that information related to them might have been compromised between Sept. 17 and Nov. 8, 2013.

An information technology employee at the center became suspicious that sophisticated malware had evaded the organization’s security measures, leading officials to retain data security and technology consultants. Consultants confirmed on Nov. 22, 2013 that the security of certain client data might have been compromised and by Dec. 3, confirmed that additional data could have been compromised. “Out of an abundance of caution,” the center began notifying people on Dec. 2, 2013 and offered one free year of identify theft protection from one of the major credit card monitoring agencies.

The L.A. Gay & Lesbian Center declined to comment for this story, beyond providing the statement it issued in December.