Today's New York Times reveals that the folks who hacked the website of JP Morgan Chase, one of the world's largest banks, also hacked the website and account of the bank's affiliated charity arm - the Chase Corporate Challenge.
In July, GoodWill Inc announced that hackers had accessed information on payments processed by the nonprofit employment program.
Waaaaay back in 2007 hackers breached the security systems at Convio Inc., gaining access to donor information for more than 90 charitable organizations.
Universities have long been, and in 2014 seemed to grow as, a target for cybersecurity breaches.
I'm sure that hospital systems, not-for-profit health care providers, non-profit financial firms, and even philanthropic foundations are also tempting targets.
Why does this matter? In the Chase Corporate Challenge case it appears that hackers were looking for a way into the bank via the nonprofit portal. (NYT says that didn't work. In this case.) In other cases the stash of information - on donors and their financial information - may be tempting enough on its own. For those with malicious means beyond financial interests, accessing information on program participants or program beneficiaries or activities planned may be enough - especially for organizations doing politically, religiously, or culturally sensitive work.
All of this steals the thunder from one of my intended Blueprint 2015 predictions, that hacking, cybersecurity and nonprofits would rise to public attention next year. (Just came on earlier than I thought).
Cybersecurity and protecting the digital information that nonprofits collect and store is important on the organizational level. It's also important on a systems level. Collectively, given the capacity constraints for most nonprofits and the linked nature of digital data, information breaches from individual organizations can serve as open doors to breaches across organizations and whole sectors. The limited ability of nonprofits to protect information they gather online - even when they outsource the service to third party vendors (who struggle to stay in front of malicious hackers) - makes not just the nonprofits and foundations vulnerable but also their affiliates and partners.
security experts can will tell you what to do to protect your web and digital assets. I think about this more from the programmatic and human side. Too often I see foundations and nonprofits choosing to collect information from people just because they can. It's easy to ask for addresses, phone numbers and email addresses, even when you don't need them and may not know why you would use them. It's easy (and cheap) to store that information somewhere online. And it's easy to forget about it.
We need to shift our organizational mindsets about collecting information from those we serve. We should stop thinking about information collection as an "all you can eat buffet," where the ease, speed and price of collecting and storing is so low that "more is better." Commercial websites have habituated us to assuming that we have to trade our data (address, birth date, email, phone number and so on) for access. That's a value exchange and a type of transaction that nonprofits simply don't need to perpetuate.
Any organization that doubts its ability to ensure that it can protect your digital information (i.e. ALL honest organizations) should approach the collection of information with great care. Given our human propensity to re-use passwords we should even consider
whether requiring passwords for public access to nonprofit websites
makes any sense. Our users will most likely use the same password
they use everywhere else, we won't be able to protect it, and - oops - there
goes that breach. Rather than the "all you can eat buffet" approach to user information, let's shift to "don't let your eyes be bigger than your stomach." In other words - don't ask for what you don't need. That way, you won't need to worry about having it and losing it. (Or being subpoenaed for it - more on that elsewhere)
Nonprofits bank on trust and integrity. We need to shift our digital behaviors to reflect this when it comes to collecting, storing (and possibly losing) information from those with whom we work.