Cyberattack hits not-for-profit sector

The Smith Family is the latest major Australian organisation to be impacted by a cyber security breach.

Children’s charity The Smith Family is the latest target of a cyber security attack that aimed to steal funds and the personal information of donors.

The not for profit follows other high-profile organisations, including Optus and Medibank, in experiencing a data breach, exposing the vulnerability of the sector.

See more: NFP leaders say they are vulnerable to cyber attacks

In a statement The Smith Family explained that while attempts to steal money were unsuccessful, sensitive supporter data may have been accessed. 

This includes names, personal contact details, information about the amount of money a person has donated and whether this transaction was successful, and in some cases, the first and last four digits of the card used to donate.

“We promptly acted and the attempts were unsuccessful,” said CEO Doug Taylor. 

“We immediately took steps to secure our systems. We then commenced an investigation of the incident and engaged specialist cyber security experts to understand what happened. We have also taken steps to further strengthen our systems.”

The Smith Family confirmed the accessed data alone cannot be used to make fraudulent purchases, as the middle digits, expiry dates and CVV numbers of cards were not stolen. The organisation does not collect identity-based documents, such as passports and drivers’ licences, which have been the subject of other national cyberattacks.

While almost 79 per cent of not for profits believe they have robust data backup protocols in place, under half (45 per cent) are yet to develop a data breach response plan, according to the recently released 2022 Digital Technology in the Not-for-Profit Sector report.

The findings of the report, which was led by Infoxchange and surveyed over 600 not for profits, strongly indicate the need for greater education across the sector. Only 47 per cent of respondents provide staff security awareness training and 56 per cent believe their staff are confident using the technology and information systems required for their role.

Additionally, more than one in three not for profits are yet to implement multi-factor authentication, which is a simple step to significantly improve information security. However, resourcing this area is increasing, with Australian not for profits spending 30 per cent more on digital technologies in the last 12 months compared to the previous year.

Infoxchange’s CEO David Spriggs said the sector needs to prioritise protecting data, especially given the frequency and seriousness of attacks in recent months.

“We must urgently address the significant shortcomings of the not-for-profit sector in relation to cyber security,” said Spriggs.

“Too many organisations are falling behind in not having in place information security policies, staff training and even basic security measures like multi-factor authentication.”

See more: Cybersecurity is paramount for not for profits – we need to act now

At the launch of the Infoxchange report, assistant charities minister Andrew Leigh said “the Optus and Medibank data breaches have highlighted the risk all organisations face from cyber-attacks. The reality is that charities and not for profits are also vulnerable.

“The previous government allowed Australia’s laws to fall behind and as a result the capacity of many organisations in Australia isn’t as good as it should be.”

However, cyber incident response expert Josh Lemon said that while recent attacks have dominated the news cycle, the frequency of breaches have not actually increased.

“This breach on The Smith Family is the latest in a string of breaches on Australian organisations, however while these cyberattacks have dominated news headlines for a while, it doesn’t mean Australian organisations are being attacked or breached more frequently – just that they’re being reported more frequently,” he said.

“While it’s important for organisations to report these breaches, what’s more important is victims consult their customers and employees to advise them of exactly what information has been accessed and what they should do as a next step.

“Organisations must be open, clear, transparent and most of all, helpful when it comes to dealing with data breaches, enabling people to take appropriate action.”

See more: New governance principles in wake of Medibank cyber attack

The Smith Family is informing its supporters of the incident and providing advice for protecting their information and avoiding potential scams that may occur as a result of the breach.

“The Smith Family remains committed to protecting the personal information of all our supporters and we apologise for any inconvenience or stress that notification of this incident may have caused,” said Taylor.

“We thank our supporters for their understanding and ongoing support enabling us to continue providing Smith Family programs to young Australians in need.”