With GDPR now very much in effect, how are charities faring when it comes to securing their data?
Thousands of donors to a children’s charity were put at risk last month after the database storing their personal information was made publicly accessible and readily available to criminals online.
Kars4Kids, an established non-profit that solicits funds through the sale of old automobiles, was notified of the breach on November 3 and secured the database two days later.
It is not known how long the information – which included emails, home addresses, phone numbers, and login credentials – was exposed, but, according to cybersecurity consultants at Hacken, who first shed light on the issue, it is highly likely that the data was downloaded by malicious actors.
“We take the security of our donors’ information extremely seriously,” Kars4Kids wrote in a statement issued to Hacken on November 7.
“After looking into this matter, we immediately secured the vulnerable database, notified the FBI cyber division, and also informed those donors whose information was affected.”
The Daily Swig asked Kars4Kids to clarify how many donors had been impacted by the incident, but the non-profit has yet to provide any comment.
Hacken said that the incident reflected another incident of an unprotected MongoDB document database – an issue which commonly occurs in versions earlier than 2.6.0, where authentication is not required by default.
An absence of skilled resources
Insecure cloud storage, Hacken rightly pointed out, is by no means unique to Kars4Kids alone, but this latest breach may point to a deeper trend of charities struggling to maintain appropriate levels of data protection.
“I do see a lot of charities and NGOs with misconfigured cloud instances,” Bob Diachenko, director of cyber risk research at Hacken, told The Daily Swig.
“The main reason for that is the absence of skilled resources, which charities can, or want to, hire to develop and – what is even more crucial – maintain infrastructure.”
In the 2018 Cyber Security Breaches Survey, conducted by the Department for Digital, Culture, Media & Sport (DCMS), 19% of non-profits surveyed had experienced a cyber intrusion over the last 12 months, with just 21% having a formal cybersecurity policy in place.
These have included high-profile attacks on Cancer Research UK and The Bible Society, the latter of which resulted in a £100,000 ($127,620) fine from the Information Commissioner’s Office over the charity’s failure to protect the personal details of 417,000 donors with a secure password.
That same report, issued a month before the EU’s General Data Protection Regulation (GDPR), highlighted that 63% of charities, once faced with a breach, had gone on to implement further preventive measures such as updating firewalls or raising staff awareness.
But while the non-profit sector is typically more willing at protecting an individual’s privacy than larger businesses that tend to focus on how security adoption measures up to economic turnover, financial constraints and a lack of employees often mean that only so much can be done.
“This also creates difficulties in the responsible disclosure process, as in most cases there are no indicators that would help to identify the owner of data,” said Diachenko, noting that Kars4Kids had appreciated the notification to its misconfigured MongoDB but had no bug bounty in place due to the aforementioned confines that most charities are facing.
According to Russ Schrader, executive director of the National Cyber Security Alliance, charities must look carefully at who has access to their data.
“A lot of charities are run by volunteers or people who are working part time, so because you have a lot of people who are coming in and have not, perhaps, gone through the full vetting that you would have for a full-time employee, you really need to restrict access to the data and credentials,” Schrader told The Daily Swig.
According to a report published by the National Cyber Security Centre (NCSC) earlier this year, an overriding ‘culture of trust’ makes the non-profit area particularly vulnerable to criminality, with malicious actors deploying a range of tactics, parallel to those used against businesses, which have equally had to adjust to transactions now taking place predominately online.
“As charities compete for funds, a cyber incident may (at least in the short term) discourage donors, which could in the extreme pose an existential threat to a small charity,” the report said.
Schrader adds that once a person is no longer volunteering at a charity, organizations should ensure that the individual’s credentials are erased in order to prevent further access to any database, and that continuous updates to software needs to be a priority.
“The machines and programs that they [charities] use are no different [than businesses], so they’ve got to keep them patched,” he said.
A welcome wakeup call
The induction of GDPR, originally perceived as legislation that would cripple charities due to costs related to compliancy, has proven to launch an affirmative action towards better digital hygiene, with 63% of non-profits telling the Foundation for Social Improvement (FSI) that they were prepared when the law came into effect at the end of May.
“I definitely think that GDPR was a wakeup call,” Lindsay Harrod, who works with the FSI, a charity offering training and advice to nearly 7,000 non-profits across the UK, told The Daily Swig.
“It was so prevalent in the news, and it was something that a lot of people hadn’t thought about at all.”
The FSI, which had to update its own cybersecurity protocol in light of GDPR – things like using a password manager and choosing the right cloud-based software – partnered with the NCSC in order to provide workshops for smaller charities feeling the strain of new data protection rules.
As a result, 39% of these organizations felt more confident in their IT systems and security measures in March to May 2018, up from 34% recorded in the previous quarter in the FSI’s Small Charity Index.
Harrod said: “GDPR can actually been seen as an opportunity to look after your donors in a proper way and to make sure that you weren’t taking them for granted or abusing their data.”