Hacking Non-profit Organizations

Threats, vulnerabilities, and hacking non-profit organizations

The world is currently struggling with a hacking epidemic. Companies of all sizes are falling victim to cyber piracy and paying billions of dollars every year. No company is safe. Every company is a target. But not everyone knows this is actually happening. Most companies think they are too small to be targeted, or that they are simply not relevant enough to be targeted. This is the case for a lot of non profit organizations around the world. Today I want to go over three of these examples and bring awareness to the situation. Furthermore, It is important to keep in mind that small businesses and non-profit organizations make easy targets for cyber criminals. Hacking non-profit organizations has never been easier. So today we will be focusing on the latter of the two.

Blackbaud

In 2020 Blackbaud, a software fundraising company, experienced their very own cyber attack. A corporate server was infiltrated and compromised for over three months. The attack was discovered in May 2020 when an employee noticed unusual login activity. The hack traced all the way back to February. Though Blackbaud did not go into detail about the attack it did mention that only their corporate datacenter was breached. Their customer cloud environment was left untouched. However, Hundreds of companies have reported being affected by the hack and the true extent of the damage will be remain unknown.

What we know

Blackbaud suffered a ransomware attack. A payout to the hackers was made. Hundreds of companies PPI was harvested and systems were damaged.

What they did right

Blackbaud partitioned their environments to mitigate these types of issues. They reported the incident to the proper authorities and had cyber experts as well as forensics teams investigate and mitigate further damage.

What they Did Wrong

Blackbaud realized their systems were infiltrated far after the damage was already done. The organization paid the hackers to release their systems. They alleged that the malicious activity had a resemblance to customer activity, although customers should not have even been allowed on the corporate network.

One Treasure Island

In December 2020 One Treasure Island was hit with a “low-tech” technique called email compromising. This is when a respected or trusted email within an organization is spoofed, or copied, to engage in social engineering or spear phishing. This means that a respected email is copied and used by the bad guys in order to approve payments, cash fraudulent checks, or a number of other things. In the case of One Treasure Island, the impact cost them $650,000.

What we know

Hackers got into the organization’s bookkeeper's email to spoofed the director’s email. They used a legitimate invoice but changed the bank information to route to their own bank. The Bookkeeper assumed this was normal behavior and transferred the funds to the bad actors in increments.

What they did right

Immediately after discovery the incident was reported to all the proper authorities, though there was no follow-up investigation.

What they did wrong

The organization probably did not have protocol nor controls in place to manage transactions that large or they were simply ignored. A lack of user training could also be noted. The employee did not verify the email. If it was out of the norm to create three separate transactions then that alone should have been a red flag.

Mensa

In 2020, Mensa, the UK’s non-profit for brainiacs was hacked and around 18,000 members lost personal information to hackers. One of the director’s credentials was used to gain access to their internal systems where passwords for the rest of the organization were held. Their Technology Officer stepped down shortly after the incident.

What we know

Directors at Mensa were spear phished in order to gain system privelages. Servers holding profile data and credentials were the primary targets. Criminals gained access to thousands of passwords and credentials that were not hashed or salted, creating an easy target..

What they did right

Mensa Contacted the authorities and replaced the technology officer for the oversight.

What they did wrong

NEVER STORE YOUR PASSWORDS IN PLAIN TEXT. The officials at Mensa overlooked a simple but essential security feature. Their IT department did not hash passwords, which made the data virtual low-hanging fruit for hackers. It is monumentally important to hash, encrypt, and/or salt your hashes when storing passwords.

What can you do?

There are a few things you can do to start taking control of your organization's cyber security. Believe it or not a lot of popular suggestions don't even require a deep knowledge of IT or Cyber Security. All you need is good old fashioned computer sense. First we can start by identifying common vulnerabilities:

  • Lack of awareness: The first step to fixing a problem is knowing that there is one.
  • Lack of a Budget: This means promoting readiness by preparing and IT budget.
  • Lack of Training: Make IT security and continuity training mandatory.
  • Lack of Support: Make sure your organization has proper support, either from a Managed Service Provider (MSP) like BuenaVista Information Systems, or from an internally hired IT department.
  • Relaxed Security Controls: If you are not supported, then there are sure to be relaxed security controls that lead to -
  • No vulnerability management: A lack of vulnerability management. Weak passwords, open firewall ports, weak protocols, etc.
Try these steps
  1. Have a strong password you can remember! Make it complex. We reccommend creating a sentence that's easy to remember like "I.am.a.password.2day!" (don't use that as your password).
  2. Don't use the same password for everything! This cannot be stressed enough.
  3. Don't sign up for services or applications online using company emails. That's a great way to get your email compromised.
  4. Don't open phishy emails. If you are suspicious about an email then you should call your manager immediately.
  5. And finally, apply the principle of least privelage, which means to be suspicious of everyone and every program. Treat every transaction online as a malicious one until proven innocent. Verify, validate, authenticate, always.

The rest you can leave to an MSP or your local IT department. For the real heavy Cyber Security lifting call a Cyber Security firm to harden your environment and make sure you are as safe as you can be. The best cyber security is user training! So make sure your employees and affiliates are taking the proper precautions to protect your organization. You wouldn't think that people would be inclined to take advantage of and victimize non-profit organizations, but in the end there will always be bad people. Good folks like all of you running non-profit organizations deserve to have the knowledge and the means to defend yourself from threats like these.

If you are need of support or would like a free cyber security seminar reach out to us! https://bvinfo.net

You can have an IT just like this. Tech Support is essential.

Get protected. Stay supported.
Call the boys at BVI.

Links:
Blackbaud - https://www.thenonprofittimes.com/npt_articles/the-hack-of-blackbaud-damage-is-still-being-assessed/
One Treasure Island - https://www.wsj.com/articles/hackers-stole-650-000-from-nonprofit-and-got-away-showing-limits-to-law-enforcements-reach-11623058201?reflink=desktopwebshare_permalink
Mensa - https://grahamcluley.com/poor-password-security-mensa/

Other blog posts