3 Activities That Can Increase the Likelihood of a Nonprofit’s Website Getting Hacked

Nonprofit organizations have become easy targets for hackers. Yet, despite the increase in breaches over the past five years, fewer than 30% of nonprofits have performed an assessment of their website to realize their potential cyberattack vulnerably.  

According to the National Council of Nonprofits (NCN), if your nonprofit clients do any of the following three activities on their website, they have an increased risk of being subject to a cyberattack. 

  1. Store and transfer personally identifiable information (PII)

Much like a for-profit business, many nonprofits use their website to collect and transfer PII about the patrons and donors who support them. Unfortunately, collected PII can easily become compromised. When this happens, the website’s users are exposed to personal risks. In addition, the reputation of the organization can become damaged and, in some cases, the nonprofit can subject to legal and financial consequences. Today, experts agree that most nonprofit organizations simply aren’t doing enough to safeguard the PII they store and transfer.  

According to The Chronicle of Philanthropy, many nonprofits are using homegrown or customized software systems to store, maintain and transfer patron and donor PII. For example, an organization may routinely use unencrypted spreadsheets or documents to transfer information, increasing their vulnerability to a cyberattack.  

“When there is a breach of the confidentiality of PII, [there is] a risk for the individuals whose data was disclosed, [as well as] for the nonprofit that will now potentially be subject to liability for the breach. [For this reason], it makes sense for every nonprofit to — at a minimum — assess the risks of a data security breach and protect its data from unauthorized disclosure.” Source: The National Council of Nonprofits.

  1. Gather information on the preferences and habits of donors, customers, blog or newsletter subscribers, event participants, etc.

The information that a website captures from various sources can be useful to hackers in a breach — even if the data being collected doesn’t officially fall into the PII category.  According to the NCN, personal preference data, such as online event registration information, can be used in a ransomware attack and harm the organization’s reputation and its ability to bring in future contributions. All data reflecting personal preferences must be kept secure.

According to the Chronicle of Philanthropy, Amy Sample Ward of NTEN, a nonprofit that assists charitable organizations with technology, said, “The value of the data often isn’t the point for cybercriminals. They’re not interested in keeping it — they just know you’re going to pay to get it back, or you’ll pay to avoid the reputational damage.”

  1. Conduct e-commerce transactions

If a nonprofit’s website is set up to accept donations or processes event registrations, it is at an increased risk for a cyberattack. More hackers are specifically targeting nonprofit websites that utilize e-commerce, hoping that organizations have failed to perfect their e-commerce security measures.

E-commerce security describes protocols used to protect the PII of customers when purchasing goods or services online. According to Cloudways, a managed cloud hosting platform provider, “There are a number of threats that an online store must protect itself from. In addition to hacking, other examples include the misuse of personal data, monetary theft, phishing attacks, unprotected provision of services and credit card fraud.”


“Until recently, data security has been a ‘nice to have’ for nonprofit organizations,” said Michael Enos, senior director of community and platform for TechSoup. “Now it’s a ‘must have.’”

As an insurance professional, you know that understanding the risks is just the first step in mitigating a cybersecurity incident. You also know that no system is infallible and that an organization can fall victim to a hacker at any moment. If you haven’t already done so, now is the time to discuss with your nonprofit clients the critical importance of having cyber liability insurance as part of their risk management and business continuity program.

About Charity First

The incredible services that nonprofits provide come with unique and complex risks that are part of their everyday work in serving the elderly, children and other vulnerable populations. It is why Charity First is committed to providing our retail partners across the country with best-in-class underwriting as well as consistent and responsive service and risk management services that include comprehensive cybersecurity coverage that can be customized to meet the individual needs of their nonprofit clients. To learn more about our cyber coverage or other products, please contact us at 800-352-2761 or marketing@charityfirst.com.