NonProfit Hacks: Too small to be hacked? Not!

By Laura Haight
Part One of a multi-part series on fraud and cyber risks for nonprofits. Click here to get each post emailed to you in the Digital Thinking newsletter. 

In February 2015, the National Center for Charitable Statistics was hacked. The organization that uses its base of 990s to analyze trends in the nonprofit sector lost 740,000 records including usernames, passwords, IP addresses and other account data.

'OK,' you think, 'that's understandable. They're big. They have something a cybercriminal or hacker would want.' Other large nonprofits, like the Heritage Foundation, Easter Seals and Veterans of Foreign Wars have been hacked as well. But small nonprofits fly under the radar, right? What would a hacker want from you?

The reality is that small nonprofits may be among the most vulnerable to hackers for several reasons:

  • Nonprofits are often understaffed, utilize volunteers rather than paid professional staff and don't have the expertise or the infrastructure to implement and maintain best practices for security.
  • Most nonprofits use a reputable online payment system that is protecting credit card information. But sensitive information that is of interest to hackers goes well beyond a credit card number: User names, email addresses, physical addresses, and, potentially, passwords can all be put to use by hackers. 
  • Shadow databases are prevalent and easy for hackers to get into. While you may have a central donor or CRM system, licenses can be expensive. When nonprofits need to involve volunteers, they may extract information from the secure database into an unencrypted spreadsheet and email it out. That's a far-too common practice and a dangerous one.
  • Finally, because they can. Sean Parker, co-founder of Napster and founding president of Facebook says: "This is core to the hacker mentality: We hack systems that can be hacked and leave the rest." Hackers take over your website to gain a foothold to push a message or to spread malicious code to your viewers. Hackers take over your computers with malware that can turn your hardware into bots waiting for an activation to participate in larger hacks or attacks on bigger systems. Nonprofits are very vulnerable to these kinds of hacks because the hackers don't have to work very hard to get in and are unlikely to be found out.

"It's really impacting us"

The Red Barn, a small Alabama nonprofit offering equine therapy and recreational activities for disabled children and veterans, was hacked in April 2015 by an ISIS sympathizer. For days, the website which was hosted by HostGator, a well-known national hosting firm, displayed an ISIS flag and pro-Islamic State message. Although that message was brought down fairly quickly, it was many more days before Google stopped displaying the hacked content in search results.

The organization's leader Joy O'Neal told the website "As a small nonprofit, it really is impacting us. It scares our parents, our students and our families." For more than a week after the hack occurred, the organization was distracted from its mission as the phone rang off the hook with constituents, partners and donors wanting to know what was going on. 

It will be little comfort to O'Neal and her team that they are not alone. In fact, the FBI in April released a nationwide alert about the Islamic State hacking and defacing websites. It particularly cited vulnerabilities in Wordpress - one of the largest, if not the largest, website platform and a favorite of nonprofits. 

The FBI investigating a similar hack in Nashville, TN, said they advise people not to visit websites that have been hacked, even once they seem to be back to normal. In an interview with, Special Agent Scott Augenbuam warned that hackers install malicious code deep into a website's core. Nonprofit websites have been a frequent target of hackers, Augenbaum said. Often because they use free software, inexpensive hosting, and lack the expertise to adequately protect themselves. 

Lost records can be costly

How well does your nonprofit protect donor information? It's definitely a moving target. If you accept checks in the mail or the lockbox company returns them to you, there are several stops along the way where sensitive information - including routing numbers, account numbers and sometimes even driver license numbers - can be intercepted. If staff or volunteers work from home, they are likely to be taking sensitive organizational information home with them on unsecured USBs, laptops or mobile devices.

That turned out to be a costly practice for the Easter Seal Society of Superior California. The organization lost the health care information, date of birth, notes and other sensitive data for more than 3,000 clients in 2013 when thieves stole a laptop from the backseat of an employee's car. 

In cases like this, the nonprofit was probably not being targeted. They were just easy. The likely scenario is that thugs saw the laptop as a target of opportunity. Once they had it, they realized they had a valuable commodity to sell. And, whether the data was sold or the not, doesn't change the way the nonprofit must — both legally and ethically — respond: Notify those whose records were exposed, potentially offer compensation such a fraud monitoring, and take the hit. 

The Human Factor

A reliance on volunteers is both the core strength and the greatest vulnerability for nonprofits. From careless but reckless tech activities that put your organization at risk to deception and fraud, nonprofits need to take additional steps to ensure vigilance and strong internal financial controls.  Trust - the bedrock of nonprofit and charitable organizations - is not a control. And it can dangerously cloud your ability to clearly effectively protect your organization.

The Association of Certified Fraud Examiners Report to the Nations 2014 includes a fraud prevention checklist. They top the list with training and awareness, as well as establishing a mechanism for reporting fraud or suspicious activity. While your website, database and computer network are a high risk of malware or cybercrime, the biggest risk is very often a trusted employee or volunteer sitting right down the hall. Make sure you have established the internal controls and procedures necessary to protect your assets.

Taking the hit

The hit from a cyber attack is two fold: An organization can be shut down for days, a website for weeks. That costs the organization donations that are often made online. Record loss in 2014 carried an average price tag of $145 per compromised record. That is a huge ticket for any business, but particularly crushing for a small nonprofit. And the reputational damage can be even worse. Donors have many places they can give and, while anyone can be hacked or victimized, the perception that a hacked or defrauded nonprofit wasn't diligent enough can turn their heads.

For that very reason the depth of nonprofit hacks and frauds may never be fully known. They are often kept as quiet as possible so as not to engender bad press, or raise doubts among its donors and major supporters. 

This is the first of a multi-part series on fraud and cyber risks for nonprofits. Future posts will deal with best practices for protecting websites, for technology, internal controls even a three-person nonprofit can implement, training your guardians, and how to monitor. Click here to get each post emailed to you in the Digital Thinking newsletter. Don't make it easy. Take action by learning about our BizSafe program.

More posts on security