The first thing that might come to mind when you hear the words data breach is the recent hacks of large corporations such as Home Depot, Chase and Target that possibly exposed millions of usernames, passwords and other records. Hacking a nonprofit isn’t likely to breach 76 million records as is estimated with Chase or yield a bounty of credit card information, but who knows the motivation of some people?
There have been at least 1 billion records exposed from fewer than 5,000 breaches since 2005, according to Privacy Rights Clearinghouse (PRC), a San Diego, Calif., organization that keeps a chronological log of data breaches made public. Records might not necessarily be the number of individuals affected, as some individuals could be victims of more than one breach.
When it comes to nonprofits specifically, PRC has recorded more than 100 breaches since 2005, involving more than 2 million records. Of those, more than 32 breaches involving at least 250,000 records were the result of hacking or malware. Most were at educational or healthcare institutions.
This year is on pace to surpass the record set in 2013 for the most exposed records overall, according to Jake Kouns, chief information security officer for Risk Based Security in Richmond, Va., and founder of the Open Security Foundation (OSF). There have been 1,331 breaches exposing 502 million records lost through the first half of this year, on pace to break last year’s record amounts of 814 million records exposed from 1,950 breaches.
A breach is an unauthorized access of data. It doesn’t necessarily mean that something was stolen or that bank accounts were accessed.
Many of the high-profile breaches are incidents of hacking, but what’s happening in other sectors depends on the industry, Kouns said. In the medical field, it’s more about lost laptops, he said, while for a lot of nonprofits, it’s snooping — employees who have legitimate access but unauthorized use.
That’s not to say that some charities are not the target of hackers. The L.A. Gay & Lesbian Center last year was the victim of what it described as a “sophisticated cyber-attack” designed to collect credit card and Social Security numbers and other financial information. In a statement in December 2013, the center said there was no evidence that anyone’s information was actually accessed or acquired. But approximately 59,000 clients and former clients were notified that information related to them might have been compromised between Sept. 17 and Nov. 8, 2013.
An information technology employee at the center became suspicious that sophisticated malware had evaded the organization’s security measures, leading officials to retain data security and technology consultants. Consultants confirmed on Nov. 22, 2013 that the security of certain client data might have been compromised and by Dec. 3, confirmed that additional data could have been compromised. “Out of an abundance of caution,” the center began notifying people on Dec. 2, 2013 and offered one free year of identify theft protection from one of the major credit card monitoring agencies.
The L.A. Gay & Lesbian Center declined to comment for this story, beyond providing the statement it issued in December.
According to the PRC, Kansas City, Mo.-based Veterans of Foreign Wars (VFW) in April notified members that an unauthorized party accessed the group’s web server through the use of a Trojan Horse and malicious code. The hacker, thought to be in China, was able to download tables containing names, addresses and Social Security numbers of approximately 55,000 members. The motivation, according to IT experts, was to gain access to information regarding military plans or contracts and not for purposes of identity theft, although they have not ruled that out, according to PRC.
While many data breaches are the result of human error (falling for a phishing scam), there are others that specifically target certain organizations. Officials at a nonprofit focused on human rights and democracy, which did not want to be identified in this story, said the organization’s system was targeted by hackers in China. “These are not run-of-the-mill phishing scams looking for credit card information but they’re purposely targeted,” said an IT director with the organization. “When you’ve got governments interested in knowing what we want to do before we do it or who is serving us on the ground in those countries, its purpose is to prevent the work of organizations…and potentially bring harm to individuals associated with us.”
A visitor to the human rights organization’s website several months ago would not have noticed anything out of the ordinary but there was a brief period when they could have been affected. “It could have been malware on their computers to monitor what they were doing, but there was no evidence that happened. It was a relatively brief window of opportunity,” he said.
In early 2013, the organization discovered its network had been hacked. “We had to take the entire network down over a long weekend, clean every single machine, servers and re-launch,” he said, re-architecting the network so any future breach could be isolated.
The organization has since extended two-factor authentication for all remote access. Some email providers have a form of this, in which users provide a mobile phone number and when they log into a device, at least the first time, get a text message code for verification. If an employee who is outside the office wants to access files, they can’t just put in a password but also must use a mobile phone or other device to generate a six-digit code. That means a hacker who steals a password can’t get in with just a password, he said.
Despite two-factor authentication, encrypting data or other measures to guard against breaches, the most common route for hackers is through user error.
Phishing is something that is manipulating someone into giving information or access to a computer. Phishing and spamming are widespread attacks, like your typical, run-of-the-million Internet scam in which a supposed prince tries to share his fortune with someone he’s never met.
“Spear phishing” is targeting organizations because of who they are, what they work on or where they work.
An email message from what appears to be someone familiar to a user will include a link to download something. The link, however, is more likely an unwanted access that downloads malware onto the computer.
The human rights organization has mandatory end-user training via a commercial service that has online videos giving them the ability to track which users have complied with that mandate. The service also allows for phishing testing, generating spoof phishing attacks to send to staff. “I can see weekly who among the staff are falling for those and determine whether to provide follow-up training or a gentle reminder,” he said. “It’s not punitive. I would never advocate beating up people who make mistakes. We all do. It’s important to understand the seriousness. You want to create a culture where people are free to tell you, ‘Ooo, I shouldn’t have clicked on this,’” he said.
Securing servers and websites is an expensive proposition. The organization, which has an annual budget in the mid-$20 million range, spends about $130,000 annually on security advisors who monitor devices, the two-factor authentication and video training. But the IT director warned: “I wouldn’t wait to get hacked to implement this stuff.” The maintenance costs don’t include the non-financial costs of decreased convenience or the estimated $35,000 it cost to remediate the server issues last year or the hacked website this year. Given recent history, he said there’s not much difficulty in making the case but said he’d still be fighting for the security measures regardless.
Kouns advises clients that if they broad-brush security, they could be focusing on the wrong things or types of data. The most important thing for nonprofit managers to understand is what they have in terms of data and to get their arms around what they’re collecting. Nonprofits are often put in positions where they have liability and don’t need it. “What are your assets, what are you holding? If you don’t need it, don’t ask for it; if you don’t need to keep it, don’t. Lower your exposure. Stop asking for Social Security numbers for the sake of it,” Kouns said, adding that collecting data comes with the duty to protect it.
Breaches could be former or dishonest employees or something as simple as a lost laptop. Other instances of a security breach might be hackers accessing a store’s computer system to get customer names and credit card numbers. Lots of breaches involved usernames, passwords or email addresses being lost, Kouns said.
“Most nonprofits have really bad security. They have that sort of mentality, ‘Why would they come after us,’” Kouns said. He pointed to a breach of Target stores earlier this year, which was the result of a third party, which could be a stepping stone of sorts to the real prize, a big retailer. Likewise, if a bad actor thinks a nonprofit has low security but works with bigger entities, Kouns said the organization could be used to get to the intended target. NPT