Charities of all sizes were affected by cyber crime in 2019. Charities can often find themselves in the cross-hairs of cyber-criminals looking for easy targets, with almost a quarter reporting at least one attack during a twelve-month period, according to the government’s Cyber Security Breaches Survey 2019. Despite these figures, 44% of charities are not protecting themselves from cyber-attacks as many charity leaders don’t see the risks. As it turned out, smaller charities got off relatively lightly despite many of them having comparatively unsophisticated cyber security. Of larger, high-income charities, over 50% reported being on the receiving end of a cyber-attack during the year. Many of these attacks were so-called "phishing attacks", as well as ransomware attacks and other digital attacks which involved viruses and other forms of malware. Cyber-attacks were the cause of about one-quarter of all data security incidents reported to the Information Commissioner’s Office, according to the latest ICO statistics. Other causes of data security breaches include emailing, posting or faxing data to the wrong recipient, and losing papers containing information when they were stored in an insecure place.
In many cases, the impact of a breach on charities affected by cyber crime is very limited - provided the victim has taken suitable security precautions. When St John’s Ambulance’s training course booking system was infected with ransomware in July this year, staff could not access the system, and existing booking data was encrypted, rendering it useless to the charity. A ransom was demanded by criminals to restore access to the system Losing access to computer systems in this way would be catastrophic for some organisations, but St John’s Ambulance was able to nullify the ransomware attack within thirty minutes without paying the ransom, according to a ComputerWeekly report. Recovery from a ransomware attack in this way can be achieved if the organisation has a digital backup copy of the system and data made before the ransomware strike, and this appears to be the case with St John’s Ambulance. The charity is confident that no data was leaked outside the organisation.
A cyber security breach can occur when data is allowed to "leak" from its repository because of a misconfiguration or because a user or organization does not fully appreciate who can access it. That is what happened when transgender children’s charity Mermaid accidentally made confidential emails visible online. The emails contained the names and contact details of young people using the service, and could be read by anyone searching for Mermaids and its charity number, according to a Sunday Times report.¬† The charity fixed the issue quickly, but not before some of the confidential details had been stolen and posted online, according to the report.
In a similar but unrelated incident, older people’s charity Independent Age suffered a data breach when employees’ bank details, along with their phone numbers, addresses and dates of birth were accidentally sent to a former colleague while complying with a subject access request, according to a ThirdSector report.
Unfortunately, it is not always the case that a charity can be back to "business as usual" quickly following a cyber-attack, and that is particularly likely if it falls victim to an ultra-sophisticated "state-sponsored" digital attack. That’s because these attacks may involve "advanced persistent threats" or APTs, which can be particularly hard to detect and which can allow the attacker to maintain access to its victim’s data even after the initial cyber-attack has been detected and cleaned up. Something of this nature appears to have been the case with The Institute of Statecraft, a Scottish charity which is concerned with human rights. When it fell victim to a sophisticated data breach one of the charity’s leaders said that he believed that the Russian government was ultimately behind the attack, according to news reports. Months after the security breach was detected the charity’s website is still unavailable, displaying only a page that states that. "All content has been temporarily removed from this site, pending an investigation into the theft of data from the Institute for Statecraft and its programme, the Integrity Initiative."