The Underbelly of Altruism: Non-Profits in the Cyber-Crosshairs
Non-profit organizations often symbolize goodwill, public service, and humanitarian efforts. Yet, even these beacons of societal benefit are not beyond the reach of cyber-criminals seeking to exploit any vulnerability for financial gain. As more organizations have digitized their operations—sometimes without sufficient cybersecurity measures—the threat landscape has transformed drastically. Our report uncovers the top 10 most financially damaging hacks that non-profits have suffered, revealing a concerning trend where the sanctity of charitable works offers no shield against digital malevolence.
From infiltrating the remote work setup of an unknowing employee to daring claims of ‘robin-hood’ acts from dark web dwellers, the methods and narratives spun by today’s hackers are as varied as they are disturbing. This introduction will prime you for a deeper look into the substantial losses faced by non-profit entities as a result of cyber-attacks, detailing both the ingenuity of attackers and the often-overlooked vulnerabilities within philanthropic organizations. The Jewish Federation of Greater Washington’s $7.5 million loss to a hacker exploiting a personal computer sets a harrowing precedent for what organizations might face in this digital era. Moreover, the confounding behavior of hackers like those from the Darkside group, who donated stolen money to charity, adds layers of moral and legal quandaries to an already complex issue.
Whether driven by greed, the thrill of the challenge, or convoluted ethical justifications, hackers are impacting non-profit organizations in substantial, costly ways. These incidents not only erode financial resources but also the trust and integrity vital to the nonprofit sector’s survival. As we dive into the top ten costly hacks, it is crucial to recognize the imperative for robust cybersecurity practices as a cornerstone of modern non-profit operations.
1. The Jewish Federation of Greater Washington – $7.5 Million Stolen
In a shocking breach of cybersecurity, a hacker infiltrated a personal computer of a remote employee at The Jewish Federation of Greater Washington, resulting in the theft of a staggering $7.5 million from the non-profit’s endowment funds. This 2020 incident underscores the heightened vulnerability non-profits face when personnel work from remote locations, particularly using personal devices. CEO Gil Preuss described the situation as “heartbreaking and devastating,” emphasizing the need for rigorous security measures.
The breach was only detected when unusual activity in an employee’s email account was spotted by a security contractor. The hack not only resulted in a significant financial loss for the non-profit, which employs 52 people, but also led to a comprehensive overhaul of their security protocols, including the prohibition of personal computer use for work and an audit to assess further damages. The FBI’s investigation into the incident highlights the non-profit’s plight and serves as a cautionary tale for other organizations. Here’s a glance at the key points:
- Year: 2020
- Location: Maryland, USA
- Amount Stolen: $7.5 million
- Detection: Unusual email activity
- Response: Banned use of personal computers; full audit
For more in-depth information on this incident, click here.
2. Save the Children Federation – Nearly $1 Million Fraudulent Transfer
In 2018, the Save the Children Federation, a respected non-profit, fell victim to a sophisticated email scam that tricked the organization into sending nearly $1 million to a fraudulent entity in Japan. The hackers, posing as an employee, compromised an email account and created fake documents, directing funds supposedly for solar panels for Pakistani health centers. Year: 2018. Location: Fairfield, USA. Amount Stolen: Nearly $1 million. Recovery: Insurance covered most of the loss, leaving a deficit of $112,000. Following the incident, the charity bolstered its cybersecurity measures.
The scam’s details are crucial: the hackers’ guise was credible because Save the Children has been active in Pakistan for decades. Despite the significant monetary loss, the charity’s insurance mitigated the financial damage, excluding $112,000. This episode underscores the need for rigid cybersecurity protocols, especially in verifying the authenticity of communications and transactions. For a more detailed account of the Save the Children incident, click here.
3. Blackbaud Ransomware Attack – $49.5 Million Settlement and Fines
In a distressing event for the nonprofit sector, Blackbaud, a major software provider, suffered a ransomware attack in 2020 that compromised the data of around 13,000 nonprofit entities. The breach exposed sensitive information including health data, Social Security numbers, and financial details of donors and clients. The South Carolina-based company, serving various nonprofits, universities, hospitals, and religious organizations, faced severe repercussions for understating the gravity of the breach and for paying a ransom to the cybercriminals.
The financial fallout from this incident was significant. Blackbaud agreed to a $49.5 million settlement with attorneys general from 49 states and Washington, D.C., and also incurred a $3 million fine from the U.S. Securities and Exchange Commission (SEC) for misleading investors about the nature of the stolen data. Indiana received the largest share of the settlement at nearly $3.6 million. The company’s response included bolstering its data security practices and committing to better customer notification in the future. This high-profile case serves as a stark reminder of the potential costs associated with data breaches and the importance of transparency. For more on the Blackbaud settlement, click here.
4. One Treasure Island – $650,000 Siphoned from Affordable Housing Funds
In late 2020, a devastating cyberattack targeted One Treasure Island, a nonprofit with a vision to transform the man-made island in San Francisco Bay into a sanctuary for the disadvantaged. Hackers methodically drained $650,000 from the organization’s funds, which were allocated as a loan for affordable housing projects on the island. This incident underscores the vulnerability of nonprofits to sophisticated digital thefts and the dire consequences for community-driven initiatives.
The attack began just before the holiday season, a time typically associated with giving and goodwill, yet it marked the start of a month-long financial nightmare for the nonprofit. The stolen funds were crucial for supporting low-income and formerly homeless individuals, demonstrating the deeply personal impact cybercrime can have on society’s most vulnerable. As nonprofits increasingly rely on digital transactions, the importance of robust cybersecurity measures becomes ever more apparent. For a detailed account of the incident, click here.
5. Minneapolis Public Schools – $1 Million Ransom Demanded by Medusa Ransomware Gang
The stolen funds were crucial for supporting low-income and formerly homeless individuals, demonstrating the deeply personal impact cybercrime can have on society’s most vulnerable. As nonprofits increasingly rely on digital transactions, the importance of robust cybersecurity measures becomes ever more apparent. Moving on, another nonprofit fell victim to cybercriminals when the Minneapolis Public Schools faced an aggressive ransomware attack by the Medusa gang.
In this brazen case, the hackers demanded $1 million from the Minneapolis Public Schools, threatening to release sensitive data online. The incident, which occurred in February of 2023, was initially downplayed by the district as an “encryption event,” but the severity became clear when the gang posted a video showcasing some of the stolen documents. This attack is not just about monetary loss but also poses a risk to the privacy and security of student and staff information. The ransomware gang’s tactics are a step-up in aggression, with options to extend the ransom deadline for $50,000 per day or allow third parties to purchase the data for $1 million. According to cybersecurity expert Brett Callow, these new tactics are “experiments” to improve ransom payments from targeted organizations, indicating a disturbing trend that could continue if found effective. The incident underscores a growing need for educational institutions to enhance their cybersecurity infrastructure and protocols. For further details, you can view the full report here.
6. Norton Healthcare – Personal Information of Nearly 2.5 Million Patients Accessed
In May, Norton Healthcare, a nonprofit healthcare system based in Louisville, Kentucky, fell victim to a ransomware attack that compromised the personal information of nearly 2.5 million individuals. This breach ranks as one of the most significant in the non-profit sector, not only for the number of people affected but also for the sensitivity of the data involved. Norton Healthcare is a prominent institution with over 40 clinics and hospitals and is the third-largest private employer in the city.
The attackers accessed a variety of sensitive information including:
- Social Security numbers
- Dates of birth
- Health and insurance information
- Medical identification numbers
While the electronic medical record system Norton MyChart was not accessed, the breach still represents a significant loss of sensitive personal and medical data. Norton Healthcare informed law enforcement and noted in their communications that they did not pay any ransom. The data breach was attributed to the ALPHV/BlackCat ransomware gang, which claimed to have exfiltrated almost five terabytes of data. As of now, Blue Shield of California and other healthcare organizations have also reported breaches, indicating a troubling rise in cyberattacks within the healthcare sector. For more detailed insights into the Norton Healthcare incident, you can access the full report here.
7. Save the Children International – 6.8 TB of Data Stolen by BianLian Hacker Gang
The humanitarian organization Save the Children International faced a severe cybersecurity incident in 2023 when the BianLian hacker gang infiltrated their systems. This attack resulted in the theft of a substantial 6.8 terabytes of sensitive data, including HR files and personal information of those served by the non-profit. Approximately 800 gigabytes of this data were financial records, posing significant risks to individuals and the organization itself.
The breach was first disclosed by the cyber gang itself and later confirmed by Save the Children. Despite the setback, the organization continued its operations, providing services while managing the crisis. The stolen data, used as leverage for ransom, could potentially be sold off or distributed if demands are not met, threatening both privacy and security on a large scale. For more in-depth information, refer to IDStrong’s report on the incident.
8. Bill Murray’s NFT Charity – $185,000 (119.2 ETH) Stolen
In a high-profile incident, hackers targeted the charity auction of actor Bill Murray, stealing $185,000 worth of cryptocurrency. The theft occurred just hours after the successful conclusion of an NFT auction that raised 119.2 ETH for charity in September 2022. Despite the efforts of a wallet security team to safeguard Murray’s digital assets, the hackers were able to transfer the funds to an address connected to the crypto exchange Binance and Unionchain.ai.
The attack did not entirely derail the charitable efforts, thanks to the generosity of the auction’s runner-up bidder. Coinbase user Mishap72 stepped in to replace the lost amount, offering 120 ETH (approximately $187,500) to Chive Charities, the intended beneficiary. This act underscored the community spirit often found within the crypto and NFT space. The theft, which took place at approximately 7:00 p.m. ET, is a stark reminder of the vulnerabilities that exist within the digital currency realm. For further details on the breach, the security response, and the steps taken towards recovery, see the in-depth coverage by CoinDesk.
9. Maternal & Family Health Services (MFHS) – Sensitive Data of Approximately 461,070 People Exposed
In a sobering example of cyber vulnerabilities facing non-profit organizations, Maternal & Family Health Services (MFHS), a Pennsylvania-based health provider, suffered a significant data breach. MFHS disclosed that sensitive information pertaining to nearly half a million individuals was compromised due to a ransomware attack. The incident initially came to light on April 4, 2022, although the breach possibly dates back to August 21, 2021. This revelation heightens the concern over the security of personal data held by non-profit entities.
The data exposed in the breach included a comprehensive range of personal details:
- Dates of birth
- Driver license numbers
- Social Security numbers
- Usernames and passwords
- Health insurance information
- Medical information
- Financial information, including credit and debit card numbers
Despite the clear risks, it is still unclear who executed the attack, whether a ransom was paid, or why MFHS delayed the disclosure of the incident. The breach, detailed in a notification from the Maine attorney general’s office, serves as a stark reminder of the importance of robust cybersecurity measures for protecting sensitive information.
10. People Inc. – Up to 1,000 Clients’ Sensitive Data Exposed
In February 2019, People Inc., a New York-based non-profit, fell victim to a data breach that compromised the personal information of possibly up to 1,000 clients. As a provider of critical services such as residential care and healthcare for vulnerable populations, the breach at People Inc. exposed a variety of sensitive client data, which included:
- Social Security numbers
- Financial data
- Medical information
- Health insurance details
- Government IDs
An employee’s email account was the breach point, potentially allowing unauthorized access through a weak password. Despite the breach, no reports of data misuse surfaced. Prompt actions were taken to reset passwords and disable compromised accounts, and a cyberforensics firm was engaged along with the FBI to investigate the breach. On May 29, the non-profit informed clients of the incident and offered free credit monitoring services. This incident underscores the critical need for robust cybersecurity measures in protecting sensitive information. For more details, refer to a corresponding news story provided by NBC news affiliate WGRZ.
In our commitment to provide an accurate and comprehensive overview of the most costly hacks to non-profit organizations, we have meticulously gathered a significant number of news stories from reputable sources. Each story is thoroughly vetted to confirm its authenticity and relevance to the topic. We extract the key statistics and facts from each incident, such as the year, location, and the amount stolen or compromised, to construct our top 10 list.
Our methodology is rooted in cross-referencing multiple reports to ensure data accuracy. We prioritize incidents based on the financial impact and the scale of data breaches, with special attention to cases like the $7.5 million stolen from The Jewish Federation of Greater Washington in Maryland, as reported by sources such as Security Boulevard. This approach allows us to present a clear picture of the significant threats that non-profit organizations face in the digital age.