Related Links

Top 5 Stories


Charitable misgivings

02 November 2010
Wendy M. Grossman

Trust makes the world of non-profit charity go round, and a breach of this trust can lead to irreparable damage of a charity’s reputation. Wendy M. Grossman investigates the unique pitfalls facing those who are in the business of giving.

At first glance, it might seem that the information security problems faced by charities are pretty much the same as those faced by everyone else. They must comply with the same data protection laws, and meet PCI compliance for credit card information. They are threatened by the same malware and denial-of-service attacks. They are also as much at risk of having laptops stolen as any commercial organisation.

“In many ways it is the same as any other company”, agrees Brian Shorten, the risk and security manager for Cancer Research UK. “Every company has assets that need to be protected, so you’re always working out the risks and how to mitigate them. The difference is what the assets are.”

When Shorten was working for Standard Bank, the most important asset he had to protect was physical money. When he was working for MCI Worldcom, it was the usage of telecommunications services. “With charities, it’s reputation and donors’ trust.”

"All the cardholder data is held exclusively by us and isn’t passed to charities unless the donor opts into communication by the charity"
Charlie Arnott, JustGiving

In his own case, he says, “One in three people are affected by cancer at some point in their lives. Cancer Research UK has a reputation that could easily be lost.” It’s not like banks and politicians, he says, who can still carry on even though their reputation may be challenged. “We can’t do without them.” By contrast, “I’m not sure our reputation would take a hit and rise back again.” Understandably, he doesn’t want to find out: “I do not want to be the first charity to be fined half a million pounds by the Information Commissioner.”

Reputation is everything

The most obvious issue for charities is supporter data, which includes – but is not limited to – credit/debit card details. Shorten believes that a charity is subject to more significant reputational risk than an ordinary company.

“Our reputation is worth more to us than to a bank”, claims Shorten. “People don’t have to give money to us. They could give it to Marie Curie and it would still help cancer.” A breach would mean bad press and the attention of the purchasing cards industry – who could potentially impose a fine, require an audit, or even pull the organisation’s card authorisation until its systems have been remediated. None of these are things a charity could recover from easily.

"The resources non-profits have for infosecurity are very scarce, to be conservative"
Amichai Shulman, Imperva

The complexity of charities is quite different from comparably sized commercial organisations. Cancer Research UK has 500 to 700 shops – “more than Sainsbury’s” – each with a complement of assistants and helpers, many of them volunteers, which in itself makes for an unexpected set of issues.

“I was once told that we have area managers who would not go into shops carrying a laptop because some of the people in the shops would consider that it was a waste of the money they were collecting in the shops”, Shorten says. “How you would run an organisation the size of Cancer Research without electronic help I could never find out.”

That sort of attitude is part of a complex of expectations that do not apply outside the non-profit sector: people want to give money to charities to further a particular cause, and often judge the effectiveness of a particular charity by looking at the percentage of donors’ money that gets spent on administration and overhead.

Under pressure

Spending money on information security therefore can, unfortunately and ironically, make the charity less appealing to donors. On top of that is, of course, the well-known fact that charities have fewer resources to spend on infosecurity to begin with than a comparably sized company.

“The resources non-profits have for infosecurity are very scarce, to be conservative”, admits Amichai Shulman, co-founder and chief technology officer of the Israeli company Imperva. The fact that people judge charities by how little they spend on overheads, he says, “makes charities very challenging in terms of infosecurity.”

"I do not want to be the first charity to be fined half a million pounds by the Information Commissioner"
Brian Shorten, Cancer Research UK

Imperva sells software and services to protect web servers. Among his customer charities, Shulman says, is one that approached him after an intensive attack campaign. “Luckily for them it was not successful, but they were alarmed to the point that they decided to go on and invest in our technology.”

While the types of attack are the same, Shulman notes that what adds to the security challenge for non-profits is that their fewer resources often also attract less skilled staff. His answer: outsourcing.

“It’s sales propaganda”, Shulman says frankly, “but given the fact that non-profits have very little resources they should look for the kinds of solutions that require less effort to manage and configure. One of the things we are best at is providing web security and database security with minimal management and configuration effort because we have a technology that automatically learns the user interface or database usage pattern and uses that knowledge as a baseline whitelist for detecting attacks.”

Many charities do outsource at least a portion of their activities, including fundraising. The ten-year-old website JustGiving has built its business on just that principle, that the rules regarding PCI compliance and data protection are complex enough to make it logical to let a specialist bear the burden.

“All the cardholder data is held exclusively by us and isn’t passed to charities unless the donor opts into communication by the charity”, says Charlie Arnott, JustGiving’s operations manager. Like Shorten, Arnott says that trust is the greatest asset for both JustGiving and the charities it serves. “We have to make sure our brand is trusted. Otherwise people won’t trust the whole transaction chain.”

An easy target

Like everyone, JustGiving has had to deal with fraudulent ‘test’ donations on stolen cards. More curious are situations where, for example, one member of a couple that’s splitting up will donate money using the soon-to-be former spouse’s card – so the spouse is either out of pocket or made to look bad by asking for it back.

In addition, the company must be careful to ensure that pages set up to collect funds are from bona fide registered charities. “Because if they can get it through, it would be a way for them to siphon money from stolen cards.” Arnott is aware of a couple of attempts, none successful.

But even removing that portion of charities’ security issues is only a partial solution. As Shorten says, charities are more complex than people realise.

"The rules regarding PCI compliance and data protection are complex enough to make it logical to let a specialist bear the burden"

In one sense, Action for Blind People sounds like it ought to have quite a simple life. It no longer does its own fundraising; instead, under a partnership arrangement, the Royal National Institute for the Blind does all of the traditional fundraising and Action gets a percentage of that budget over the next five years. The upshot is that Action doesn’t have donor information anymore and no longer has to worry about protecting it.

What it does have, however, says Gabe Chomic, ICT security and training manager for the charity, is data pertaining to the people it helps to find employment or buy assistive devices. These are vulnerable children and adults whose information is especially sensitive. Any of the staff or volunteers who come in contact with that information has to go through CRB checks.

The big complication, however, is that Action also runs four hotels around the UK for blind people. Unlike its other services, where straightforward payments are made at the point of sale, hotel rooms may be booked well in advance through a multitude of third parties. In addition, therefore, to having to be PCI compliant for taking payments, Action also must comply with a number of regulatory standards laid down for contractors by the Department for Work and Pensions.

“What I found in talking to others in the Charities Security Forum and certainly within Action is that the charity situation isn’t nearly as neatly pigeonholed or categorised”, says Chomic. “The core point is that you can’t just say this is how to secure charities, or this is how they do business.”


Set up in 2007 by Brian Shorten and Salvation Army CIO Martyn Croft, the Charities Security Forum aims to bring together information security personnel in the non-profit sector from across the UK.

The forum’s 80 members include organisations of all sizes, from Oxfam and the Red Cross down to small hospices; the group runs a mentoring programme, quarterly meetings with speakers, and an active LinkedIn group.

“We felt it was needed because we couldn’t find anybody to talk to about security matters in charities”, says Shorten. In his previous jobs with MCI Worldcom and Standard Bank, he says, there was always a network – “other people you could ring and say, what can I do, what do you think?” At MCI, for example, along with all the other telcos, Shorten was part of the Telecom Users UK Fraud Forum, which issued bulletins and allowed members to talk freely. When he arrived at Cancer Research, however, he found there was nothing comparable for the non-profit sector.

He names, as an example of the reason the forum is needed, an issue that’s becoming frequent: the practice among credit card thieves of testing the cards they’ve stolen by making a small online donation to a charity site. Countering this kind of common problem requires collaboration.


This article is featured in:
Compliance and Policy  •  Data Loss



squeezy says:

18 May 2014
St. Joseph's Hospital in Orange, Ca doesn't care much about "reputation". Most recently they had a major breach of patient information effecting nearly 1/2 mil. patients. Secondly, they contract with "Convicted Malpractic Doctors". Recently a Podiatrist on staff at SJHAP was convicted of two counts of "NEGLIGENCE". When Steve Moreaux, CEO was advised, he replied in his correspondence that he woud look into it. Dr. William J. Spak, DPM, convicted of two counts of negligence, is still on staff at St. Joe's Hospital.
The "home page" of St. Joseph's in city of Orange, announce that all of their doctors answer to a "higher authority". When I asked their VP of Marketing if they contracted with any Malpractice Doctors, I didn't get a reply. Upon sending a second notice, I got an indirect answer, mostly denying any involvement with Malpractice doctors. When I sent Steve Moreaux, CEO and their gal that is VP of Marketing a copy of the "court judgement" (dated 12/2012) I received a defensive letter from Steve Moreaux and William Spak is still on staff at SJHAP. Why can't they inform their patients if they are not ashamed of contracting with Malpreactice doctors?

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×