Secure Giving: Information Security Challenges in the Third Sector

The Salvation Army’s Martyn Croft says that, following a disaster, spikes in related phishing attacks begin at the six-day mark, aided by social media
The Salvation Army’s Martyn Croft says that, following a disaster, spikes in related phishing attacks begin at the six-day mark, aided by social media

A particularly twisted scam made the rounds last year: a variant of the Citadel malware that created regionally tailored messages to Facebook users requesting $1 donations to children in desperate straits. Who could say no?

Of course, the purpose was not to save children but to steal credit card data.

“Charities are often used as test beds”, says George Tubin, a senior security strategist at Trusteer, which reported the scam. In other words, would-be fraudsters test stolen credit cards by putting through a small charge.

The incident demonstrates two different infosecurity issues that are peculiar to the third sector – charities and non-profits. Both are problems Tubin raises: fraudulently obtained donations, many of which will have to be reversed and which use up time and resources, and reputational damage and loss of income when a real charity is used to defraud would-be donors. As TV drives requesting donation by SMS become more common, phishing attacks that ask for similar donations are also rising in frequency.

About six days after every major disaster – Katrina, Sandy, the Japan tsunami – Martyn Croft, CIO for the Salvation Army, sees a spike in phishing attacks based on the disaster. He admires the psychology: six days is about long enough for people to start wishing they could help. For this type of fraud, social media is the perfect vector; people often push their friends to support pet causes.

Besides those issues, the third sector has the same problems everyone does: protecting personal data, recruitment, and new technology trends, such as the cloud and bring your own device (BYOD). Adding to the struggle is a lack of resources.

Last Bastion of Integrity

Taking stock of the third sector as a whole is not easy. As Brian Shorten, a co-founder of the 160-member Charities Security Forum, says, the non-profit sector encompasses a very wide range – everything from a local hospice struggling to raise a few million a year to giant global organizations like the Salvation Army. The one thing they all have in common is their reliance on trust and reputation: “Charities are the last bastion of integrity”, Shorten observes. For this reason, he believes that, “They are the last people who can suffer the loss of that reputation.”

Lawrence Simanowitz, a partner at Bates Wells Braithwaite who specializes in charities and data protection and is a board member of the Fundraising Standards Board, agrees. “What I always say to charities is that actually the most damaging thing if they had a security breach would not be sanctions” – from a regulator – “but would be the absolute loss of trust by supporters.” As he says, most people are only prepared to give charities money if they believe it will be wisely spent. “Trust is at the heart of that relationship, and if something undermines it, such as a security breach, it could seriously threaten a charity’s survival.”

Simanowitz, calling the third sector, “a very segmented world”, divides it into three categories: service organizations, which hold data on both donors and users of the service; membership organizations; and pure fundraising charities. Examples might be, respectively, a free clinic, a campaigning organization, and Comic Relief, the widely copied UK charity that aggregates tiny amounts from millions of donors into grants it makes to service groups.

Crippling Consequences

The impact of a security breach varies accordingly. Close relationships with donors and patients may get a small hospice through; history and momentum may save a famous multinational, just like a commercial brand. It’s that middle membership group that may be worst affected, especially as data breach legislation takes hold throughout the US and Europe and sanctions gain in potency.

In the UK, in 2010 the Information Commissioner’s Office gained the power to impose fines of up to £500,000. Even half that sum could cripple a campaigning organization at a crucial moment. This type of organization is also the most vulnerable to hacktivists and other political opponents, although even a service organization helping individuals to meet targets for an unpopular government program could find itself targeted by the program’s opponents.

In one of Simanowitz’s cases, a fraudster penetrated the database of a charity’s several hundred thousand members. The charity decided not to tell its members, thinking it could resolve the issue, and then a year later changed its mind. “The membership went crazy”, he recalls. The organization eventually recovered by taking every complaint seriously and corresponding with each of the hundreds of people who complained. “Some raised it with the Information Commissioner’s Office, and they ended up having to sign an undertaking but they weren’t fined. They did lose some members in the long run, but I think because they took it very seriously when they did eventually react, they managed to minimize the damage.”

"Charities are often used as test beds"
George Tubin, Trusteer

In a second example, a charity failed to ask enough questions to outsourcing suppliers about where its data was being stored and backed up, later discovering that it was being transferred overseas to a country lacking the EU’s data protection requirements – a serious compliance issue.

If Scott Gray, the managing director of Rapidata Services, is right, the latter case is increasingly less likely. Since 2010, he says, “There are definitely a lot more questions about where is data stored, how it’s transferred, how it’s safeguarded in transfer. Charity clients are certainly asking the right questions now.”

BYOD, however, is a trend that comes up in every conversation in this sector. Like the chief executives of large businesses, CEOs of charities want to use their iPads. But where businesses may balk at the loss of control, charities are less certain: supporters do not want their money diverted to buy shiny electronics.

“I always say to people that if BYOD is done properly, then it’s not a cost saving”, says Rowenna Fielding, the Alzheimer’s Society’s information security manager. “There is a whole new set of due diligence there around the potential for personal details about vulnerable adults to be on a system that isn’t directly controlled by us, or is controlled by us but because it’s not part of a project, IT doesn’t have a formal mandate to cover it.”

Your CISO is your BFF

Fielding was actually hired in direct response to a security issue. In 2009, the Society called in its laptops in order to encrypt their hard drives – only to have them stolen from the office. Everyone recognized the irony, but the Information Commissioner’s Office still required the Society to sign an undertaking to improve its practices.
“They’ve recovered and are doing very well”, says Croft of the Society. “After the data protection incident they were really able to demonstrate that they were taking the right steps.”

One key to this, he observes, is getting security taken seriously at the top, which in the case of charities is often not the officer layer but the board of trustees.

“If you don’t have a seat then it’s hard to spread the message, and you’re not always sure it gets through”, Croft remarks. “My advice for any charity trustee is to make the CISO your best friend. You’ll get a lot of inside information.”

Among that information may be a lack of resources – though not quite the way you might think. Many assume that infosecurity personnel in the third sector must be poorly paid. Croft says that’s more image than reality: “I don’t think the pay is particularly worse than anywhere else. It may be what people believe, but the firewalls are the same, the hackers are the same guys, and you need somebody who is very good at their chosen profession to keep the bad guys out, whether you’re a charity or a bank.”

Where Fielding sees a difference is in the number of staff: she is on her own in a job where she wishes she had two or three more people. And yet, the sense of mission makes all the difference: “I think if I were facing the same challenges in the for-profit environment I would be much more demoralized. Whereas, in the Alzheimer’s Society, it’s such an amazing and important thing we do that I feel I can rise to meet the challenges and see them as more of an opportunity.”

SMS Donations

Donating money to charities via an SMS message sent to a short-code typed into a mobile phone is novel in the US, but less so in Europe. At the April 2013 Tomorrow's Transactions Forum, Comic Relief's director of innovation, Amanda Hocke-Martin, said that 9% of donations during its fundraisers come in by text. Since Comic Relief's goal is "frictionless giving", SMS has been an important addition to the range of options that enables the impulse donations the charity thrives on.

For consumers, SMS donations are simply added to their phone bills; their payment details are not passed to anyone who doesn't already have them. For charities, SMS and its attendant security issues are, likewise, typically handled by third parties. Vodafone, for example, partners with JustGiving to provide an SMS donation service.

Bigger risks might be posed by apps on smart phones, says Shorten, who considered an app for a charity employer at one stage. "The last thing you want is credit card details on the phone itself", he says. In practice, however, you may research the charity via its app, but come time to make a donation, you're taken to a page that's managed by WorldPay or another third-party expert in handling payments.

"PECR is more of a concern than the security aspect", says Fielding, referring to the Privacy and Electronic Communications EU directive. "We have a third party sending the messages and collecting the data for us, so from our point of view, as long as our contract with them says they will keep the data secure and gives us the right to request verification of their security program, that pretty much covers it.”


What’s hot on Infosecurity Magazine?