As we end 2023, another data breach is announced.  Seems like 2022, 2021, or 2020.

Every time you turn around, there is another announcement of a data breach.  This time, it was the non-profit world and fundraising and donor management platform, DonorView.  According to published reports, the length and completed depth of the breach are unknown.  And no surprise, the information from DonorView is limited, at best.  Another nearly one million donor records were placed at risk.  Email addresses, payment information, and other personal pieces of data were available to anyone who could use a computer.

An interesting twist this time, the vulnerability was found by a cybersecurity researcher who emailed DonorView twice with no response.    

This is not the first data breach in the nonprofit industry. There was Blackbaud, Experian, and many many more. 

The experience of having your data “taken” is so ubiquitous that very few people care anymore.  Many, like me, believe that the database of the dark web has almost all of our data already….so what is a little more?

What is a donor/person to do?

First, according to the experts (which I have done) freeze everything you can: credit bureaus, bank accounts, etc.  Make sure you have as many safeguards in place as possible.  I have set up notifications for all bank accounts and credit cards whenever one is used via the web (credit card not present) or over a specific amount (not that much).  During the holidays, I get texts like crazy.  And I look at each one.

Next, double-check (triple-check) your statements each month. Is everything there supposed to be?  And make sure you have a copy of every credit card and bank statement somewhere to review. And there are the obvious things to never do. Never use the same password for most websites.  Don’t use simple passwords like “password.”   And don’t open hyperlinks you don’t recognize.

Here is one more thought. Let’s increase the financial penalties for companies that have data breaches.  When Blackbaud had millions and millions of records taken, the final penalty was ONLY $49.5 million.  That is just not enough for a company of their size.  That does not affect the organization taking data protection seriously.  

We can’t simply ignore the notifications of data breaches, but it is incumbent on the individual to do everything possible to protect their data because companies (for-profit or nonprofit) don’t seem to care all that much.