Everyone hears about data breaches hitting large companies like Yahoo!, Home Depot, Anthem, Sony, and Target. Nonprofit organizations also have crippling data breaches.
Earlier this year, a small nonprofit in Indiana fell prey to hackers, reports KQED. The organization is Little Red Door, whose mission is to reduce the financial and emotional burdens of cancer and promote cancer prevention. According to KQED, hackers got into the nonprofit’s server because a staff member accidentally downloaded malware. The hackers demanded $43,000 in exchange for return of the client files and financial data they had stolen. When the organization refused to pay, the hackers posted on Twitter private letters that the organization sent to grieving families who lost a loved one to cancer. Also, as a result of losing all of its files, the organization lost funding because it did not have the information it needed to apply for grants.
The Little Red Door’s story could happen to any nonprofit, no matter how large or small. According to the Privacy Rights Clearinghouse’s data breach database, 110 nonprofits in the United States have reported data breaches to state authorities since 2005. These reported incidents exposed data like employee, client, and donor names, addresses, social security numbers and credit information. This number only accounts for reported data breaches in states, like California, where organizations are required to notify their Attorneys General upon discovery of a breach.
110 data breaches since 2005 may seem like a small number. However, other statistics indicate that nonprofit data breaches are much more common. A 2016 survey reports that a whopping 63% of nonprofit organizations (which equates to about a million organizations) suffered a data breach within the one year period covered by the survey. These data breaches involved hacking, physical breaches like theft of devices or stolen files, a vendor or other third party being breached, or inadvertent errors like accidentally emailing confidential information to the wrong person.
Of these types of data breaches, the California Attorney General reported that malware and hacking present the biggest threat to our personal data. This is certainly true for nonprofits. As demonstrated by the Little Red Door, a hacking incident can leave a nonprofit organization unable to function and obtain funding.
To prevent such an incident, nonprofits should take steps to protect the information they collect and store. The first step is to understand all of the sensitive and confidential data in the organization’s files. Then, the organization may take steps to secure and protect its data and to have a remediation plan in place in case a data breach occurs. This work should be undertaken by a well-qualified cyber-security consultant.