Cybersecurity a hot button issue for NFPs in 2024

Their alerts come on the back of yet more hack attacks on Australian not-for-profits, with authorities and IT advisors suggesting that not-for-profits should expect that a breach is not just a risk but an inevitability for most organisations.

The most recent study by Infoxchange, Australia’s leading authority on tech in the not-for-profit sector, reveals 12% of not-for-profits suffered a cyber security incident in the past year, suggesting tens of thousands of organisations are affected, yet less than a quarter have introduced processes to manage risks.

Not-for-profits with an annual turnover of more than $3 million are required to report a data breach to the privacy watchdog, the Office of the Australian Information Commissioner (OAIC).

Health service the latest NFP hit by cyber attack

In the latest attack to hit the sector, St Vincent’s Health – Australia’s biggest not-for-profit health service – was targeted on December 19 in a sophisticated attack via apparently stolen log-in credentials.

The data comprised nearly 4.3 gigabytes of mostly system and network data.

In a written response to the ICDA news service, the service’s dedicated cyber response team said that following a “round-the-clock” and month-long forensic investigation that it had found no evidence of sensitive personal data, such as licences, passports or banking details being stolen from the network. The team said that no data from the breach had been posted onto the dark web.

The health service had briefed 30,000 staff and was working with state and federal governments, regulators, law enforcement and cyber experts to tackle the issue.

The organisation had undertaken “system remediation” and upgraded constant monitoring to quickly respond to suspicious activity.

Life savers wait for Christmas to reveal attack

In a Christmas morning post on Facebook, Life Saving Victoria told members that it had been hacked by “malicious actors” nearly a month earlier, on November 28.

The organisation said the hack had affected customers but that only “limited” personal information had been compromised. It had alerted those affected by email and given advice about how to respond.

“As we are in the midst of our summer season, we want to assure our members that their data is protected and this incident doesn’t pose any direct threat to them nor the critical services our members provide to the community.”

The organisation reported the incident to relevant authorities.

Pareto Phone: Liquidators now in control of hacked telemarketer

One of the most significant hacks to hit the sector in recent years was a massive data breach by telemarketer Pareto Phone in which data from more than 70 Australia charities and 50,000 donors was dumped on the dark web.

The affected organisations were a who’s who of the sector, from Amnesty International to the Wilderness Society.

An official investigation into the incident is continuing. A spokesperson for the OAIC said that the regulator was now “engaging with the liquidators as part of our ongoing investigation into Pareto Phone”.The business folded in October after charity customers abandoned the provider.

According to documents seen by ICDA, the company collapsed owing more than $17.3 million to unsecured creditors.

The OAIC is expected to examine several aspects of the case, including complaints by several major charities that Pareto Phone had held onto customer data for years after that information should have been deleted, in breach of privacy rules.

The issue prompted a string of peak bodies and government regulatory authorities to issue warnings to organisations to take greater care when dealing with third-party operators with access to personal data.

The OAIC is likely to complete the investigation this year, with its corporate plan suggesting 80% of investigations are completed in 12 months. Depending on its findings, privacy breaches can attract penalties of up to $50 million, alongside a raft of other enforcement provisions.

According to a recent OAIC study, Australians are concerned that data breaches are the biggest privacy risk they face, and most want more control over the use of their information.

Cybersecurity threat is rising, with one in eight NFPs affected in 2023

Among the charities affected by the Pareto Phone breach was Médecins Sans Frontières (MSF), also known as Doctors without Borders.

Its head of fundraising, Tom Duggan, said, “The impacts will reverberate through 2024 and beyond.”

“Charities and their supply chains are now on notice that they are just as much a target as their commercial colleagues. This will require ensuring they have properly invested in appropriate infrastructure and skills to keep their data and their donors’ data secure.

“This is not cheap, and while it’s unlikely to forward your organisation’s mission, it’s essential for retaining trust, reputation, and ultimately long-term sustainability.

“Sadly, it’s almost inevitable that there will be a major leak from the not-for-profit world and when that happens it will be important to respond strongly and with a unified voice.

“Our sector, rightly or wrongly, has a strong reputation for good intentions but not a great one for cyber security skills. We must not sacrifice our trust for short-term savings.”

Not-for-profit board member and futurist Simon Waller, agreed, saying NFPs should brace for significant challenges in the area for at least the next few years.

“The quality and quantity of data stored online means the value proposition for cyber criminals is improving every day. In addition, there is a huge shortage of suitably qualified cyber security experts and growing complexity of online systems. Although NFPs have probably been considered low value targets until now, this is likely to change.”

The latest privacy breaches are just the most recent in a spate of attacks. Other significant incidents in recent years have included:

• the November 2022 breach of the Smith Family’s database, which exposed information on up to 80,000 donors including name, address, phone number, email address and donations
• the January 2021 breach of Oxfam Australia’s database, which saw an undisclosed number of names, addresses, dates of birth, emails, phone numbers, gender labels and some donation histories leaked
• the April 2021 ransomware attack on UnitingCare Queensland, which partly disabled the organisation’s systems until November that year
• an Anzac Day 2018 attack on Family Planning NSW, which exposed sensitive personal information on 8000 clients, some seeking help with abortions and contraception
• the release of details of 550,000 blood donors by the Red Cross in 2017.

Infoxchange, said figures from its 2023 Digital Technology in the Not-for-Profit Sector report showed that thousands more NFPs have been affected.

“We know that cyber security risks are on the rise, and preventing data breaches has become more complex. One in eight not-for-profits have reported a data breach in the last year alone,” Infoxchange CEO David Spriggs said.

Sector takes step to boost cyber defences

Infoxchange would be working with sector peak bodies and governments to “accelerate awareness, funding, and training to better protect not-for-profits from an increasingly challenging cyber environment.”

Several community sector bodies are now collaborating to address the growing threat.

The Community Council for Australia is leading conversations with authorities including the Department of Home Affairs, along with representatives of Infoxchange, the Australian Council for International Development (which represents overseas aid groups), Fundraising Institute Australia, and the Public Fundraising Regulatory Association.

Fundraising Institute Australia has a close relationship with many of the third-party fundraisers, including telemarketers, that are now under closer scrutiny following the Pareto breach.

FIA chief executive Katherine Raskob said the institute had reminded members of their obligations under FIA Code and had offered extra training in privacy and cybersecurity.

It hoped to develop new training and tools for the sector during 2024.

She said FIA telephone fundraising agency members, not surprisingly, had “reported their charity clients are seeking further assurances regarding the use and retention of their donor data”.

Insurers demand better safeguards

Insurance to protect NFPs from cyber security breaches is becoming more valuable as the number of cyber incidents continues to grow.

The senior client manager for not-for-profits at insurance broker Aon, Derek Turner, said insurance companies were very aware that cybercrime was “the fastest growing crime in the world”.

“Many smaller NFPs believe their organisations are too small to be the target of a cyber crime, but it is important to remember that the information targeted is often information such as names and email addresses, which is often held by majority of NFPs. These are considered easy targets for hackers because of the lower IT security and protection.”

He said that insurers issuing policies now required organisations to employ multifactor authentication, as a minimum, to protect their systems. Organisations without IT risk management practices and technicians to assist with maintenance could be refused insurance.

While Aon was yet to identify organisations that were “uninsurable” for cyber threats, some would face reduced limits and increased excesses in areas where insurers had a lower appetite for risk, such as organisations involved in software-based services.

He said cyber security premiums had been “fairly stable” since the initial “explosion” of cyber attacks about five years ago prompted relatively large premium hikes. He said insurance costs for smaller organisations varied considerably based on their subsector, IT risk management and policy settings.

Regulator’s advice on cyber security

The Australian Charities and Not-for-Profits Commission – the charities regulator – said that all not-for-profits and charities should take action to strengthen their cyber security defences.

Commissioner Sue Woodward said the issue should be high on agendas.

“I urge directors of all charities and not-for-profits, no matter how small, to make it a priority to strengthen their strategies and procedures to reduce potential harm from cyber attacks, such as data breaches.”

Ms Woodward warned that the potential consequences of an attack included the loss of crucial information, high costs to restore that data, and reputational damage from media coverage.

“I know it can feel ‘easier said than done’, but there is a lot your organisation can do. It doesn’t necessarily involve expensive, high-tech solutions. It starts with understanding what information you are holding and why, so you can understand what risks are present, and develop strategies and action plans to mitigate them.

“For many organisations, there is a legal requirement to have a privacy policy and to notify of breaches. Even if, in a strict legal sense, you don’t have to do this, it is a matter of good governance to have a policy and a plan of action for any breach.

“Your policy needs to outline the way people’s data is collected, stored and protected – really just the same as you would expect of any organisation or business you deal with in your personal life. A clear policy will help improve your organisation’s approach to managing information, guide your staff and volunteers, and provide assurances to your donors and supporters.”

She said community directors were ultimately responsible for managing cyber security risks and ensuring staff and volunteers had a basic understanding of safe practices.

Ms Woodward highlighted the free and affordable tools available to help, including:

• Our Community’s Damn Good Advice on Cyber Safety 
• the ACNC’s Cyber Security Governance Toolkit
• the Infoxchange Digital Transformation Hub and phone advice
• agency guidance from the Australian Signals Directorate and the Office of the Australian Information Commissioner.  

Useful resources

Cybersecurity self-assessment tool | Ten questions every board member needs to ask about cybersecurity | Free cybersecurity policy | Free privacy policy | Free data retention and destruction policy