Rawf8 - stock.adobe.com

Charity data stolen in ransomware attack on supplier

A number of charities in Ireland and the UK have had their data compromised following a ransomware attack on an IT supplier

The Police Service of Northern Ireland (PSNI) and Ireland’s An Garda Síochána are probing a series of data breaches at several charities working with vulnerable individuals, including victims child sexual abuse, after their data was compromised in a cyber attack on an IT supplier.

The supplier, Derry-Londonderry-based Evide, is a data management services firm specialising in third-sector organisations. Its Impact Tracker platform is used by charities across in Ireland and the UK to manage campaign data and outcomes.

It is understood it was targeted by an as-yet undisclosed ransomware operator in March 2023. According to RTÉ, its attackers have demanded a ransom, but Evide has not paid.

In a statement, Evide said: “We recently became aware of an incident when unusual traffic was detected on our network. As soon as we became aware that a third party had accessed our systems we immediately contacted the PSNI and engaged the services of experienced cyber security specialists to assist us to contain the issue, support recovery efforts, and conduct a thorough investigation.

“We have provided notifications to all relevant stakeholders and clients and also notified the relevant authorities, including the Police Service of Northern Ireland who notified An Garda Síochána. The incident is now also subject to a criminal investigation.”

Two of the charities known to have been hit are Dublin-based One in Four, which works with adult survivors of child sexual abuse, and Belfast-based Orchardville, which supports adults with autism and learning disabilities.

One in Four said it learned of the breach on 5 April when it was notified in the course of Evide’s investigation.

“We now know that the personal information of people who have used our service has been accessed,” the organisation said in a statement.

“We have begun contacting individual clients directly to advise them of the incident and to address any concerns they may have. We have taken this approach to allow us to provide proper supports to clients who may find this incident distressing. Our priority at all times is to the welfare and wellbeing of our clients.”

Speaking to RTÉ, the charity’s CEO Maeve Lewis said she was unsure what data had been stolen, but that it did likely include personal information.

Orchardville, meanwhile, said it was also working to establish what data had been compromised and has warned service users to be on the alert for suspicious contacts.

“It’s reprehensible but attacks like this against some of the most vulnerable are popular with certain cyber criminals,” said Comparitech security specialist Brian Higgins.

“The instinctive reaction of victim organisations will always be to do their utmost to protect those they are charged with helping and this can often be exploited as a motivation to pay a ransom quickly rather than risk any further harm.

“It appears that Evide, its affected clients, and PSNI, have a comprehensive incident response plan in action and are doing their utmost to see out this despicable attack in the recommended fashion.

“Their comms strategy is very clear and anyone who thinks they may be affected or know somebody who is a client of any of the listed victim organisations should follow the advice issued by PSNI and report any unsolicited messages about the attack. Never engage or reply. Only report and delete,” he added.

Risk to charities

Charities are considered particularly at risk from cyber security incidents of this type for two main reasons.

The first is because of the wealth of immensely valuable personal data that they hold. By its nature, said data frequently falls under the umbrella term of special category data under the UK and European Union (EU) GDPR – which includes information on ethnic and racial background, political opinions, philosophical and religious believes, trade union membership, genetic data, biometric data, health data, and data on an individual’s sex life, sexual orientation and gender identity.

The second reason is that charities are frequently small, under-resourced organisations that may be reluctant to spend their limited funds on appropriate cyber security controls, often rely on bring-your-own-device policies, and have a high number of casual workers and volunteers who may lack basic cyber awareness and training.

Writing in Computer Weekly in February 2023, Rob Shapland, an ethical hacker and head of cyber innovation at Falanx Cyber, and Adam Monks, chief executive of third-sector specialist MSP Smartdesc set out three steps that charities can take to help mitigate the risk of falling victim to a cyber attack. These are:

  1. To outsource and invest in a virtual chief information security officer (vCISO) service;
  2. To consider investing in managed detection and response (MDR) services;
  3. And to use third-party penetration testing and ethical hacking services if possible.

“Charities are on cyber criminals’ radars, even the large, well-known charities are vulnerable. The impact of a large-scale attack can be devastating– particularly the downtime and damage to the brand and supporter trust,” they wrote.

“The investment of time and money into the right cyber security strategy and services, from specialists that understand the challenges of the sector, will always outweigh the long – and reputationally damaging – road to recovery from a successful attack.”

Popular support package

Meanwhile, in January of this year, the UK’s National Cyber Security Centre (NCSC) launched a package of support measures for charity organisations working with vulnerable groups – including children, domestic violence survivors, and refugees.

Delivered alongside the IASME cyber assurance consortium, charities that successfully applied for the Funded Cyber Essentials scheme are to receive 20 hours of free support from an accredited Cyber Essentials assessor to help them implement the five core pillars – firewalls, secure settings, access controls, malware and software updates – that open up the NCSC’s Cyber Essentials Plus certification.

The offer proved so popular that the NCSC and IASME have since had to close applications.

Read more about charity IT

Read more on Data breach incident management and recovery