New York-based charity People Inc. has become the latest victim of a data breach, exposing clients’ personal details, including health data, when employees’ email accounts were accessed by a bad actor.
The non-profit organisation reported that “protected health information belonging to certain current and former clients” had been the subject of the data security incident.
The breach, which was first discovered in mid-February, occurred after an employee’s email account was compromised. Last month, it was discovered that a further email account contained personal information belonging to current and former clients, which may have included names, addresses, social security numbers, financial account information, medical information, health insurance information and driver’s license details. An estimated 1,000 clients have been affected.
According to People Inc., it immediately reset the password required to access the impacted account and employed an independent forensics firm to assess the impact of the incident. It has also reported the matter to the FBI.
People Inc. data breach shows even non-profits are not safe
The NGO serves older adults and those with developmental and intellectual disabilities, and the incident highlights the fact that it is not only for-profit organisations that can be targeted by cyber criminals.
Commenting on the story is Jonathan Deveaux, head of enterprise data protection at comforte AG:
“If there are companies that still think they are not targets of cybercrime, let this story be proof. Even Non-profit companies may be subject to cyberattacks.
“It’s about the data. Hackers and attackers don’t care what kind of business you run; they only care about the data you have. Many past news headlines have been about credit card numbers stolen during data breaches, but what’s trending up lately, is unauthorised access to personal identification information (PII).”
Cyber attacks can have a significant impact on NGOs, especially smaller organisations that may not have the budget to provide extensive security protection. According to a survey by Sainsbury Management Fellows, the charity sector was named the least prepared for cyber attacks by 25% of respondents. Deveaux believes that the personal information held by some NGOs makes them particularly vulnerable:
“In the case at People Inc, personal Information such as Social Security numbers, driver’s licenses, health info, and financial data seemed to be the target, as an unauthorised wire transfer was attempted. Bad actors can do more bad things with PII than they can with stolen credit card numbers.
“Companies who lose their customers’ PII can cause a huge impact on the individuals whose data they lost. Credit cards can be replaced; identities cannot.”
Last year GCHQ published advice for NGOs looking to protect themselves from cyberattacks, advising organisations on how to avoid phishing attempts, using passwords to protect data and the importance of backing up data. Deveaux highlights the importance of raising awareness:
“Cybersecurity training helps raise awareness with people who have access to sensitive and personal data, as it is common knowledge that people are the weakest link in the cybersecurity chain.
“Additionally, companies can look to deploy data security technology to help minimize the risk of data exposure. Pseudonymisation and Anonymisation are highly effective methods companies can use through technologies such as tokenisation or encryption. And, as a by-product, both help companies address Data Privacy requirements, which are coming in force to the US, state by state, very soon.”