Nonprofit Data Breaches Highlight Notable Data Compromises in January

Date: 02/08/2022
  • All of January’s highlighted data breaches represent a negative trend identified in the Identity Theft Resource Center’s (ITRC) recently released 2021 Annual Data Breach Report – an increasing lack of transparency in data breach notices.
  • The International Committee of the Red Cross (ICRC) suffered a cyberattack that impacted more than 515,000 highly vulnerable people in many undisclosed countries.
  • com was the latest e-commerce platform to suffer a data event due to a website vulnerability. It is unknown how many people were impacted. Exposed information includes names, email addresses, phone numbers and mailing addresses.
  • The YMCA of Greater Charlotte suffered a ransomware attack. However, the nonprofit did not disclose how many people were impacted or what data was seized. Ransomware attacks are on pace to surpass phishing as the number one root cause of data compromises in 2022.
  • Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
  • For more information about January’s key data events and other data breach news, consumers and businesses should visit the ITRC data breach tracking tool, notified.
  • If you believe you are the victim of identity theft from a data compromise, like one of the nonprofit data breaches, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Notable January Data Breaches

Of the 128 data compromises the ITRC tracked in January, three stand out: International Committee of the Red Cross (ICRC), ShopGoodwill and the YMCA of Greater Charlotte. All three were nonprofit data breaches that impacted well over 500,000 people. The Red Cross suffered a cyberattack that targeted a company in Switzerland. ShopGoodwill had a vulnerability on its website that exposed personal data. The YMCA of Greater Charlotte fell victim to a ransomware attack impacting an unknown number of people.

International Committee of the Red Cross

According to the ICRC, the nonprofit detected a sophisticated cybersecurity attack against computer servers hosting information held by the ICRC. The attack compromised personal data and confidential information (names, locations and contact information; login information for 2,000 volunteers and staff members) on more than 515,000 highly vulnerable people. The data originated from at least 60 Red Cross and Red Crescent National Societies worldwide. Due to the attack, the ICRC says they have shut down the systems that ran the compromised program. The ICRC says they are working with partners worldwide to understand the scope of the attack and take the appropriate measures to safeguard their data in the future.

ShopGoodwill

BleepingComputer.com reports that Goodwill disclosed a data breach that affected the accounts of customers using its ShopGoodwill.com e-commerce auction platform. In a data breach notice, ShopGoodwill said an unknown number of people’s personal contact information was exposed due to a site vulnerability. While no payment card information was exposed, it did expose users’ names, email addresses, phone numbers and mailing addresses. Goodwill says they have fixed the vulnerability that led to the exposure and will contact everyone impacted by the nonprofit data breach if they learn of any relevant information.

YMCA of Greater Charlotte

According to the Charlotte Observer, the YMCA of Greater Charlotte is alerting an unknown number of its members about a data breach that happened months ago. In a press release, the YMCA of Greater Charlotte said the investigation into a ransomware attack revealed an attack was detected on September 10. The YMCA of Greater Charlotte did not explain how many people were affected and what data was seized. However, the organization says it took steps to maintain operations and programs at all of its locations.

The Lack of Transparency is Increasing

All of these data breaches represent a negative trend identified in the ITRC’s recently released 2021 Annual Data Breach Report that highlighted an increasing lack of transparency in data breach notices. Failing to disclose the root cause, the scale and the scope of a breach, including the number of victims impacted, and other important details make it difficult for other organizations and individuals to take the actions needed to protect themselves from similar attacks and the increased risk of identity fraud.

What to Do if These Nonprofit Data Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/text) and to keep an eye out for phishing attempts that claim to be from the breached organization.  

ShopGoodwill says if anyone has questions about their data event, they can email them at [email protected].

Affected members of the YMCA of Greater Charlotte data breach will receive two years of free credit monitoring.

ITRC Releases 2021 Annual Data Breach Report

The ITRC recently released its 2021 Annual Data Breach Report. According to the report, the overall number of data compromises (1,862) was up more than 68 percent in 2021 compared to 2020. The new record number of data compromises was 23 percent over the previous all-time high (1,506) set in 2017. The number of data events that involved sensitive information increased slightly compared to 2020 (83 percent vs. 80 percent). However, it remained well below the previous high of 95 percent set in 2017.

Download our 2021 Annual Data Breach Report.

notified

For more information on January data breaches, or other nonprofit data breaches, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.   

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Later in Q1 2022, the ITRC will launch a free alert service for consumers where individuals can create a list of companies with which they do business. If an organization on the list is added to our notified data compromise database, a subscriber will receive an email alert.

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, like one of these nonprofit data breaches, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcenter.org to get started.

How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the In the Loop.

Get ID Theft News

Stay informed with alerts, newsletters, and notifications from the Identity Theft Resource Center