It looks like there isn’t a lot of media coverage, but there’s a small article in the Arkansas Democrat Gazette a hacker gained illegal access to servers for the Nature Conservancy. Personal information regarding 14,000 people may have been compromised, including employees and their families. Payroll information, including direct deposit bank account numbers, was part of the stolen data in the data breach as well as names, birthdates, addresses, and Social Security numbers. The breach was first reported back in September and at the time the estimate on people affected was 3500 employees.
The details are still sketchy, but the article states that the contents of the employees’ computers were copied and information was sent to the hacker after employees had visited a certain site. Sounds like a Trojan horse might be involved?
What arrested my thoughts is that the Nature Conservancy is a nonprofit organization. This got me thinking. Nonprofit organizations probably need data security even more than governments and corporations. Governments and corporations are, too a certain degree, necessary, meaning some people will look to obtain services from them even if they don’t want to. For example, I think it’s very well documented (I’m not going to comment whether it’s biased or not; true or not; etc.) that there are a lot people who shop at Wal-Mart but they only do so because they have no other choice: supposedly Wal-Mart has driven out all of the competition. So in this sense, the corporation becomes a necessity, even if people don’t really want to shop there. As for government and their services…paved roads and police, anyone?
But a nonprofit organization is different. A nonprofit organization is not, for the lack of a better word, necessary in the sense I’ve described above. Their purposes are noble, and the services provided might enrich us all directly or otherwise, but like Blanche DuBois in A Streetcar Named Desire, they depend on the kindness of strangers. As far as I know, a nonprofit organization must raise its money from donors, be it single individuals writing out a check from home or a corporation donating money.
Now, I’m not saying that the following happened. There is no way to tell, and since there isn’t a huge ruckus in the media over it, I’m guessing only employee information was compromised, but let us suppose that donor information was compromised. If one of the files copied and stolen by the hacker happened to be a donor file, this would be the end of the NPO as we know it.
First, the nonprofit would probably have to issue credit monitoring services to affected donors (some might decline, but others might not).
Second, existing donors might be less inclined to donate money or inclined to donate less money.
Third, non-current but potential donors might be disinclined to donate, fearing that their data might be compromised.
The bigger issue is that (probably) the NPO does not have a financial cushion for such instances (last time I checked, the TJX breach cost over $100 million and counting) so they might have to come up with the money via more donations (which may dry up from the incident) or from money reserved for other projects.
The NPO is caught between a rock and a hard place. And let’s face it, a lot of security solutions out in the marketplace are expensive and difficult to maintain, assuming they can be successfully implemented to begin with. It might be hundreds of thousands of dollars later that the NPO figures out that the particular solution they signed up with is not compatible with them.
I would say that AlertBoot could be a huge boon to nonprofit organizations looking to secure their data. Unlike other security solutions that quote their rates on a monthly basis only to charge them on an annual basis (via annual contracts), AlertBoot has a competitive monthly charge. This way, even if it’s a trial basis, if any cash-strapped organizations find that this is not the solution for them, they have the flexibility to search for other solutions without wasting their donations (although, I think they will be very happy with what AlertBoot has to offer).
Hackers, phishers, identity thieves…they don’t care whose data they’re stealing or whose servers they’re breaching. While this is a blanket statement, between the government, for-profit companies, and not-for-profit organizations, I would say that the latter is the most vulnerable to the ramifications of a successful criminal data attack. If NPOs have not considered and budgeted for some method of data protection, I would say that now is the time to do so. Potentially, their survival—and those in their stewardship, be it an endangered species or a tropical rain forest—might depend on it.