Why Nonprofits Should Take Cybercrime Seriously In 2021

WordPress Security

Why Nonprofits Should Take Cybercrime Seriously In 2021

April 6, 2021

If cybersecurity isn't on your nonprofit's radar in 2021, it should be.

According to IBM and the Ponemon Institute's data breach report, cyberattacks are up by 92%. The average data breach today costs $3.86 million since the onset of COVID in March 2020.

Blackbaud, who serves about 45,000 nonprofits, even had its data stolen from their network in 2020. Hackers threatened to lock them and hundreds of its nonprofit customers out unless a ransom fee was paid. Their cybersecurity team was able to stop the hacking group from being locked out of its own data. Blackbaud paid the Bitcoin ransom with the understanding that the copied data would be destroyed.

Still, there are many nonprofit leaders that don't believe they can become victims of cybercrime. But the reality is that organizations of all sizes are on the map of hackers worldwide for website attacks, server breaches, email phishing scams, and ransomware.

As we head deeper into 2021, it is worth exploring nonprofits that have been victims of cybercrime over the past 10 years. We might be able to learn from their experiences and mistakes to possibly predict what lies ahead for the rest of the year. Hopefully, organizations can become better prepared for upcoming cybercrime threats.

Let's dive in.

2021

  • Harris Federation: The IT systems and email servers of a London-based nonprofit were taken down by a ransomware attack. Hackers hit 50 school trust's systems which led to the compromise and encryption of their IT systems, and 40,000 students lost access to their email.
Nazi songs and imagery on North Shore Hebrew Academy website's home page
Nazi songs and imagery on North Shore Hebrew Academy website's home page

2020

  • North Shore Hebrew Academy: Their website was hacked with anti-Semitic propaganda, messages, songs, and slurs. The home page of the school’s website was defaced with Nazi soldiers marching in the background. On the website's "About Us" tab, there were pictures of Nazi soldiers holding up swastikas and referring to the school as the "North Shore Concentration Camp."
  • Methodist Hospital of Southern California: Donor and patient information were accessed by hackers but the organization doubts the information was released to the public (or on the dark web). It included patients’ names, telephone numbers, email and mailing addresses, dates of birth, genders, and medical record numbers. They use their own fundraising databases hosted by Blackbaud - also hacked.
  • Beacon Health Solutions: REvilNetwalker, and Conti hacking groups stole personal and protected health information by encrypting all of their servers and computers. They posted about 600GB of sensitive data to the dark web in order to leverage a ransom: personal details, financial documents, Social Security numbers of clients, bank documents, and phone records.
  • The Family Health Centers of Georgia: The Conti hacking group posted data to the dark web from a nonprofit community health center and primary care medical home. The data was taken down quickly after being published. It's assumed they both negotiated a ransom fee.
  • Jewish Federation of Greater Washington: Hackers broke into a staff member's computer while they were working remotely during the pandemic. For three months, they stole $7.5 million from the nonprofit's endowment fund and funneled the money into international accounts without being detected by anyone in the organization.
  • Mission of Mercy: A small nonprofit that donates dental services had its bank account breached. Thieves stole a "substantial" amount of money from the organization. Toward the end of the year, the attackers tried a second attempt to hack the account but were unsuccessful. The transaction was flagged and the nonprofit was contacted.
  • Vero Beach Museum of Art, Inc.: A donor list of the organization containing detailed personal information on many of the island’s wealthiest and most noted philanthropists - was stolen by cyberthieves. The hack took place in Blackbaud where the clients stored their files and continued for three months.
  • Get Schooled: A New York-based charity suffered a data exposure that left records related to hundreds of thousands of students in an unsecured AWS bucket that was open and accessible from the internet.
  • Nevada’s Clark County School District: Hackers leaked private data about students and employees after school officials declined to pay a ransom: Social Security numbers, addresses, and retirement information, and files on students that included their names, dates of birth, addresses, schools, and grades.
  • Beech Brook: Hackers broke into the computer system of a nonprofit group working to help families and children and stole $136,823 from Cuyahoga County.
Fake email from the compromised Special Olympics New York email server
Fake email from the compromised Special Olympics New York email server

2019

  • Special Olympics New York: During the Christmas holiday, the organization's WordPress email server was hacked and the attackers later used it to launch a phishing campaign against their donors. The fake email messages sent to the donors informed them of an impending donation transaction that would automatically debit $1,942,49 from the target’s account within two hours.
  • Mission Health: A nonprofit in Western North Carolina experienced a data breach that involved the hospital system's e-commerce website being compromised. For three years, the website was sending payment information to "an unauthorized person" due to the hacker inserting malicious code.
  • Southern First Nations Network of Care: Had their system infected with ransomware with files for eight agencies that had been compromised. They weren't sure who had their information or how it's going to be utilized. And if there were no backups of the files, it will be very difficult to recover them.
  • People Inc.: A hacker broke into an employee's email account and a second one may have also been compromised. The attackers stole sensitive client information: names, addresses, Social Security numbers, financial data, medical information, health insurance details, and government IDs. They determined that a weak password was most likely the culprit and a brute-force attack allowed the attacker to get inside their system.
  • No More Tears: A small nonprofit that helps victims of sex trafficking and domestic violence in South Florida fell victim to their PayPal account getting hacked due to a compromised website. The executive director said she would receive emails that the donations were coming in but when she went to check the account, the money wasn’t there. The attacker redirected all of the donation payments to somewhere else.
  • Sweetster: For the second time, a nonprofit community mental health provider had its email accounts hacked. The breached data contained health information of current and former clients: client names, addresses, dates of birth, telephone numbers, and social security numbers.
  • Father Bill's & MainSpring: Attacked by ransomware but luckily their antivirus software used by the nonprofit was able to stop the ransomware attack in its tracks, without locking up any of the office computers or causing them to seize.
  • Long Island School District: Hackers held two school districts on Long Island hostage for three months, forcing one of them to pay $88,000 in Bitcoin in order to retrieve student and staff information before the school year started.

Hackers don't discriminate, and no matter how noble your nonprofit's mission, you could be vulnerable.

~ Michael Wolfe, Ontario Systems

2017

  • Save the Children: The major international organization was scammed when hackers broke into a staff member's email account and posed as an employee. They created fake invoices and other documents to fool the charity into sending $997,400 to a fraudulent business in Japan.
  • Our Revolution: They were a victim of an email scam resulting in the loss of about $242,000 from an electronic transfer of funds to an overseas account. It's known as a "CEO impersonation" where hackers break into a computer network and then make a fake wire transfer request that appears like a legitimate vendor.
  • Little Red Door: A small Indiana nonprofit had its server and backup drive hacked. All of their data was stripped, encrypted, and taken for ransom by an international hacker group. They threatened to contact family members of living and deceased cancer clients, donors, and community partners. The day after the hack, the hackers demanded a $43,000 ransom to be paid in order to return the data and keep it private.
For several days, a hacker's message remained on The Red Barn's website, declaring sympathy for the Islamic State
For several days, a hacker's message remained on The Red Barn's website, declaring sympathy for the Islamic State

2015

  • The Red Barn: Their website was hacked as part of a server-wide attack during a fundraising event. The damage was so bad that the organization had to remove its website, purchase a new domain name and rebuild it from scratch. They made the mistake of hosting their website with a cheap provider, HostGator, which is known for getting hacked in the past.
  • Planned Parenthood: Anti-abortion protesters hacked into their website databases and stole the names and email addresses of employees. In a separate incident, their website was hit by a denial-of-service attack which made the site crash after it was flooded with traffic to keep users from accessing it.
  • Utah Food Bank: This small organization had its WordPress website hacked and 10,000 visitors who donated online lost their personal information to identity thieves. For two years, the hacker was able to steal names, addresses, emails, and credit and debit card information from their website.
  • National Center for Charitable Statistics: Got hacked and lost 740,000 records including usernames, passwords, IP addresses, and other account data.
  • Colonial Williamsburg: Made an offer to help Iraq safeguard at-risk artifacts. Their website was hacked just days after the offer was announced.
  • Giving Children Hope: The home page of their WordPress website was hacked by self-identifying as Syrian rebel sympathizers. They changed with page into a black screen with red text reading, "I love ISIS."
  • Urban Institute: Their system for filing tax forms was breached and hackers were able to access about 700,000 usernames, passwords, IP addresses, and other account data for nonprofits that use the Urban Institute's National Center for Charitable Statistics (NCCS) to file their taxes.
Screenshot of the Girl Scouts Facebook page announcing the hacked website
Screenshot of the Girl Scouts Facebook page announcing the hacked website

2014

  • The Girl Scouts, Texas Chapter: The organization announced on Facebook that its website had been hacked with the homepage defaced. During the attack, users were registering and paying for camps on the organization’s website. They had to do damage control to ensure none of their customer's sensitive information had not been leaked "No permanent damage was done but you will notice that images and content may be missing and links may not be working properly. We apologize for this inconvenience ..."
  • Goodwill Industries: They were hacked using the same software that struck Target and Home Depot earlier in 2014. Their franchises in 19 states and the District of Columbia were affected which totaled 330 stores. An estimated 868,000 credit and debit cards were compromised.
  • WOLF Sanctuary: They had their Facebook page hacked and staff members’ access was blocked. The attackers also posted sexually explicit pictures and comics on their page - which could have been viewed by 277,000 followers. Facebook wouldn't do anything to bring back the old page so the organization had to start a new one.

2013

  • Easter Seal Society of Superior California: Thieves stole a laptop from the backseat of an employee's car. The organization lost the health care information, date of birth, notes and other sensitive data for more than 3,000 clients.

2011

  • Japan-America Society of Tennessee: Hackers took down the website of a nonprofit that was collecting donations for Japan and replaced the home page with profanity. Anyone trying to go to the group's home page encountered a mostly blank screen with an offensive phrase at the top.

By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.