Extra - IT: Act now to guard your data against hackers

Cybercriminals are hard to stop, but charities needn't be their next victims. Ron Condon puts up some defences.

Internet criminals love international disasters. As soon as a hurricane hits or an area is flooded, the criminals will leap into action, sending out spoof begging letters to millions of people around the world.

Unwary recipients, moved by the pictures they see on their televisions, are only too willing to respond and hand over their credit card details without looking closely enough to realise that the organisation they are giving to is a sham.

It is only one of the ways in which criminals siphon off cash from deserving causes, and it is very hard to stop. "When people are being exploited it is doubly damaging," says Martyn Croft, head of corporate systems at the Salvation Army. "The donors lose out and so do the intended beneficiaries. It's something we should be on top of as charities, but I'm not sure we are."

Croft says the problem is increasing as banks tighten their security and criminals look around for easier victims. "Charities are seen as a soft target," he says.

In charge of security for the Salvation Army, Croft is also keenly aware of the information he holds that could be valuable to a criminal. The organisation, which Croft describes as a "£220m business", holds details of a million regular donors, plus personal details of thousands of single homeless men it works with. This is, as he points out, "a potential goldmine for identity theft".

That information needs to be protected by firewalls, intrusion detection systems and filters to keep the wrong people away from it, but the number of potential leakage points is increasing all the time.

For instance, large files can be copied, often for legitimate reasons, on to laptops, memory sticks or even iPods. As HM Revenue & Customs discovered last November, when 25 million records were loaded on to a couple of CDs and popped in the post, even the most well-meaning staff can make potentially disastrous mistakes by accident.

The internet can also present an open door to hackers if websites have not been properly coded with security in mind. A good example of this came in late June, when a North American non-profit organisation called Tricolumbia.org was hit. The site invites people in the region of Columbia to take part in triathlons and helps them raise sponsorship. It held the personal details of 8,500 people on its database.

Using what is called an SQL injection attack, the hacker was able to access the database, extract the complete details, then post them up on a hackers' website for others to exploit.

The case was tracked by Jacques Erasmus, director of research at security firm Prevx. "All the people who donated to that website had their details exposed," he says. "There is a lot of information that could be used for other types of attack. For instance, hackers could carry out 'spearphishing' attacks, where they send targeted emails to people because they know their names and addresses."

The database also held their site passwords in encrypted form, but Erasmus says he could crack the codes quite easily. That would then lay the people open to more trouble, as he explains: "Statistically we know that if someone has a password for a site, they normally use that same password for other sites, such as internet payment system PayPal."

The charity accepted PayPal donations, and Erasmus guesses that at least 1,000 of the names on the database would use the same password for their PayPal account. Anyone looking at the database would be able to get email addresses and passwords - enough for them to use the victims' PayPal accounts.

Systems and technology need to be properly installed to provide the digital equivalent of locks and bolts on charities' systems - as with locks and bolts, however, they are no use unless people understand the need for security.

All organisations running computer systems, including charities, need to have a written security policy setting out what is allowed and forbidden, and everyone needs to follow it.

Security awareness training is also essential to make people realise the consequences of security breaches. One useful source, which Croft uses, is a set of information security training modules created by the Mid-Yorkshire Chamber of Commerce and Industry. The material is available at www.bobs-business.co.uk and would be a good place to start for any organisation.

As the recent report on the HMRC debacle concluded, if staff had been made aware of security procedures, those CDs would never have gone missing.


Any charity interested in improving its information security would do well to join the Charities Security Forum. Started last year by Brian Shorten, head of security at Cancer Research UK, it provides a platform for charity professionals to exchange ideas and advice.

"All charities are affected by security threats and new legislation such as the Payment Card Industry Data Security Standard if they take credit card payments," he says.

PCI DSS is a new standard that requires those handling credit card details to follow strict rules, such as encrypting the data. Those who fail to meet the standard may become liable for any losses suffered on those cards.

The forum holds its meetings at the Cancer Research UK offices in London. For more information, email Brian Shorten at brian.shorten@cancer.org.uk.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in

Before commenting please read our rules for commenting on articles.

If you see a comment you find offensive, you can flag it as inappropriate. In the top right-hand corner of an individual comment, you will see 'flag as inappropriate'. Clicking this prompts us to review the comment. For further information see our rules for commenting on articles.

comments powered by Disqus