Why hackers profit from non-profits

Monday, 28 August 2023

It’s a low blow when people who give to charity find their act of generosity causes their personal details to end up on the dark web.

It’s frightening for the donors, but also for the charities who face potential legal action, regulatory scrutiny, and reputational damage that’s not going to help them get more donations.

Charities have long been a soft target for cyber criminals. They frequently lack the funds to invest in high level cybersecurity and their data is rich with the personal and financial details of wealthy individuals. The latest case to grab the headlines concerns a Brisbane-based telemarketing company that suffered a cyber breach in April 2023. Now the personal details of thousands of donors to well-known charities have been published to the dark web.¹

The case highlights the importance of making sure you assess the security status of your third-party providers. Because no matter how good your own security is, when your data is hosted by a third party your security is only as good as theirs. And that applies to all businesses, not just charities, and neither can afford the business interruption such attacks bring.

Due diligence is essential. Find out what cyber risk strategies your supplier uses and whether your data is secure. A commonly used platform for managing donations is Blackbaud, whose US proprietor paid a US$3 million settlement recently after failing to report the full impact of a ransomware attack last year that affected thousands of schools, universities, and other nonprofit organisations.²

Charities and organisations alike need to ask potential suppliers about their risk management plan. Have they assessed their risk and taken reasonable steps to manage it? Are they aware of the regulations covering privacy and cybersecurity and do they comply?

Timing during an attack is critical. Ask about their policies and procedures in the event of a breach. What is their response plan? Will they engage an expert investigator who can tell them exactly what data was exfiltrated? What and when will they communicate the outcome of the investigation with you? Many organisations delay action because they don’t know what to do, and delay disclosure even longer because they fear repercussions. This gives the cyber criminals even more space to conceal their actions and come back for more.

It is essential to partner with suppliers who are aware of their obligations and have a clear plan to manage cyber risk. The recent Brisbane example is unlikely to be over. It’s months since the breach and a small portion of the data has only now been published to the dark web. Just because they’ve been quiet doesn’t mean they’re finished. This is just an indication of what they can, and possibly will, do.

Ask your potential supplier about their policy on retention of data. In the recent case, some of the charities affected hadn’t used the telemarketer for as long as a decade and some of the data was fifteen years old.³ Will they delete your data when the project is concluded, as privacy laws require? Or will they leave you and your data exposed to risk for years to come?

Failing to take appropriate steps to identify your supplier’s risk may leave your organisation exposed. Don’t just ask these questions, have them written into your contract. And if they won’t do that, think carefully about doing business with them because they’re high-risk. And their risk is your risk.