Hackers Swipe ‘Highly Sensitive’ Data in Ransomware Strike on 140 Charities

Hackers have stolen sensitive and personal data from hundreds of charities in a large-scale ransomware campaign targetting the IT firm Evide. 

The Londonderry-based company, which manages the data for charities and community organisations in the UK and Ireland, was struck by a ransomware attack last month which exposed personal and highly sensitive information from over 140 charities. 

At least four of the organisations affected by the attack video work with victims of crime and domestic abuse and stored extremely sensitive data related to their service users. 

A spokesperson for Evide confirmed last night that it had “immediately contacted the Police Service of Northern Ireland (PSNI)” and cyber security specialists as soon as it became aware that a “third party” had accessed its systems. 

They added that none of the material stolen during the attack, which they described as “highly sensitive and personal information”, has been published on the dark web or hacker forums as of yet. 

Dubin-based “One in Four” was one of the organisations affected by the attack. CEO Maeve Lewis told RTÉ Good Morning that the stolen data included phone numbers and email addresses, but did not include information from clients’ work with the charity. 

“We really don't know what the situation is with that data. We do know that any attachments, any letters, any reports for example, to child protection services, they have not been accessed,” Ms Lewis said. 

She said more than 1,000 people who have engaged with the charity may be affected and the charity had managed to contact about 500 of them to date.

Belfast-based charity and social enterprise Orchardville said it was also affected, but is not yet aware how much of its data, if any, had been stolen, the BBC reported. 

"But we wanted to make you aware of what has happened as soon as possible so that you can be more alert to any suspicious attempts to contact you," the organisation told service users in a notification letter. 

‘Data Owners’

RTÉ is reporting that the hackers have made ransom demands but that those demands have not been met by Evide. 

Since the breach involves a large number of organisations, it remains unclear who is to take responsibility for the breach. 

But Dominic Trott, UK director of strategy at Orange Cyberdefense, believes that both Evide and the charities involved must take responsibility.

 He said that the charities impacted remain the “Data Owners” – and have responsibility for protecting the outsourced data – while Evide also has joint responsibility as the “data processor”.

Regardless, Mr Trott noted that fines would be inappropriate given the nature of the attack and the organisations involved. 

“We must ask whether fines would be the optimum outcome here if they could potentially send a charity under,” he said, adding that regulations should instead work on “some kind of remedial plan and education so these organisations can keep doing their valuable work”.

No Organisation is Immune from Cybercrime 

The attack on Evide is a reminder that all organisations are vulnerable to cybercrime in today’s cyber threat landscape in 2023, regardless of industry or size.

“The charity sector and its third-party suppliers are not immune from malicious actors, despite the fantastic work they do,” Oz Alashe, CEO of CybSafe said. 

“Charities and suppliers are often seen as a gold mine for cybercriminals, as they prioritise funding on frontline charitable work rather than into defences against cyber threats.”

In today's increasingly digital age, cybersecurity affects individuals, businesses, and governments alike.

In the last six months of 2022, there were nearly 2.8 billion malware attacks and 236.1 million ransomware attacks worldwide. In the past year, more than 255 million people fell victim to phishing scams – a 61% increase in the rate of phishing attacks compared to 2021. 

Mr Alashe said that Evide’s case serves as a reminder that organisations of all kinds must look beyond their front door when it comes to security, ensuring their third-party partners’ employees are taking cybersecurity seriously.

“People are the first and last line of defence in safeguarding this crucial data. Focusing on specific security behaviours that make individuals vulnerable to attacks, and promoting positive cooperation has the potential to reduce organisational risk,” Alashe noted. 

“Otherwise, the organisations that exist to help the most vulnerable will continue to be vulnerable themselves.”