Cyber Security and Nonprofits

Goodwill – a nonprofit that provides job training and services to people with disabilities and operates over 2,600 thrift stores – came forward in July of 2014 to announce that the private information of its customers was hacked and stolen. A couple months later, after a security probe initiated by the organization finished up, Goodwill provided a thorough breakdown of the attack.

Hackers accessed the databases of a third-party vendor named C&K Systems, Inc., a company that Goodwill contracts to process around 10 percent of its sales data. The numbers for some 868,000 credit and debit cards were stolen from 330 different thrift store locations in 19 states, plus Washington, D.C. The nonprofit announced that payment card brands reported very few illicit purchases from the stolen numbers in the wake of the hack.

Each year, it seems like the list of businesses and organizations compromised by online fraudsters gets longer. In 2014, victims ranged from retail to food service, utility provider to government agency; Target, Neiman Marcus, Yahoo Mail, AT&T, P.F. Chang’s, UPS, Home Depot, and the U.S. Weather Service make up a partial list of high-profile hacking targets last year.

What happens to the stolen information varies case-by-case. Suspected hackers range from Eastern European crime syndicates and international hacking collectives, to actual governments.

In the case of stolen credit card information, the hackers seldom use the information themselves, fully aware of how easily tracked such behavior would be. Instead, they often peddle credit card information in secretive online forums, where buyers parse through various offers, making purchases and then transferring the stolen information onto the magnetic strips of dummy credit cards. Some criminal rings then make as many big ticket retail purchases as possible before the victim and the bank figure out what is happening.

Other hackers essentially act as digital ransom-takers, evidenced by the recent attack on Banque Cantonale de Geneve, a Swiss bank. On January 9, an international hacking collective known as Rex Mundi announced that they had over 30,000 private emails from customers, and that they would release the information in the bank did not pay €10,000. This small asking price represents a diversification of revenue streams for Rex Mundi and similar hacking groups. Criminal rings use “ransomware” to lock systems, or threaten to release stolen information, and then demand relatively small payoffs before moving on to their next target. Going after many targets and issuing small ransom demands increases the return on the hackers’ thievery.

When a business or nonprofit possesses the private information of its customers, clients, or donors, it carries a great responsibility to ensure optimum privacy and, in the event that it is compromised, the duty to make sober assessments and analyze data breaches with the utmost transparency. Goodwill, perhaps the highest profile nonprofit hacking victim to date, acted most commendably following the theft of its customers’ information. But in a digital wild west of criminal hacking, finger pointing can stand in the way of accurate information.

The Sony hack – in which scores of embarrassing emails, private staff information, and unreleased movies were stolen – created quite a stir. Common speculation held that North Korea was to blame for lashing out over the comedic film The Interview, which depicts a fictional assassination attempt on Kim Jung-Un. This widely-held belief led the United States government to retaliate – digitally. A suspected U.S. cyber attack temporarily cut North Korea’s internet service in late December.

The big issue? Many security analysts agree that the hack likely started with an internal breech, perhaps from a disgruntled employee. Sony made little effort to pursue this line of inquiry, because the popular narrative placing all of the blame on North Korea let the company off the hook. If Sony was directly responsible for the data breach, the company could face lawsuits from employees with compromised information, as well as other legal and financial headaches that were otherwise taken care of by the North Korea story.

Hacking and digital crime affect how consumers perceive and use online services. In response to ongoing security concerns, consumers stand to reevaluate how they share their private information – an essential component of patron and donor relationships with businesses and nonprofits. Following trends in cybersecurity and the state of consumer confidence is essential for nonprofits, in that it allows organizations to spot potential weaknesses before an attack and enables them to prepare a measured and responsible reaction in the event of one.

PricingPrivacy PolicyRefund Policy