Our Daily Bread Hack Shows Nonprofits Vulnerable to Cyberattacks
The letter from Our Daily Bread (ODB) was one donors hope never to receive: a notification that “a recent data security incident” may have given a third party access to their contact and credit card information.
ODB, which works “to make the life-changing wisdom of the Bible understandable and accessible to all,” raised $86 million in 2022, up from $64 million in 2020. Its Feb. 10 letter announced the problem without providing much detail, and apologized for “any inconvenience” caused:
“We experienced an unauthorized third-party intrusion into our e-commerce web page during the period of November 18th to December 29th, 2022.” A forensic investigation was begun by external experts on Jan 4, 2023. Letters were snail-mailed to donors five weeks later, “out of an abundance of caution.”
One donor, Kevin Van Dyck, wrote to the ministry in frustration over its slow response, and later informed MinistryWatch about the hack.
“You were aware of this over a month before the date on this letter,” he wrote. “If you were trying to act out of an abundance of caution, as you wrote, why would you not inform the potential victims as soon as you knew?”
But one expert who helps nonprofits recover from such hacks say ODB’s handling of the matter was par for the course. A 2022 article from The Chronicle of Philanthropy warns, “cyberattacks are a growing menace to nonprofit organizations around the world.”
ODB did not respond to calls and emails from MinistryWatch, one of which reached Bill Walker, a vice president listed as the donor contact on the ministry’s Member Profile page with the Evangelical Council for Financial Accountability.
Jake Lapp, ECFA’s vice president of member accountability, told MinistryWatch that “technology and security around a ministry’s data is extremely important and an increasing area of risk.”
Access to MinistryWatch content is free. However, we hope you will support our work with your prayers and financial gifts. To make a donation, click here.
Lapp would not say whether other ECFA members had experienced hacks in the past.
ECFA offered a 2021 webinar on “Cybersecurity Threats and Security Considerations,” but offers no guidance on how ministries should respond to attacks. “ECFA would not provide counsel or advisory services on this topic as it is outside the scope of ECFA Standards,” he said.
“Hackers are on the lookout”
ODB, a global ministry with more than 30 offices, 600 staff, and 1,000 volunteers, offers biblical teaching through devotionals, films, podcasts, radio, books, mobile apps, social channels, websites and the weekly Day of Discovery TV broadcast.
Founded by M. R. Dehaan in 1938 as the Detroit Bible Class, it has been renamed many times: Radio Bible Class in 1941, RBC Ministries in 1995, and Our Daily Bread Ministries in 2015. Matt Lucas, who was named president in 2022, is the first president from outside the Dehaan family.
ODB did not explain how hackers gained access to its site, but Jim Walker, the “Hack Repair Guy” who says he has worked on thousands of hacked websites, says a quarter to a third of his business is with nonprofits, some of whom fail to give their websites the attention they deserve.
“Hackers are on the lookout for vulnerable and valuable websites and nonprofits are some of the best of both worlds,” Walker wrote in a 2019 article for the website Give. “Most nonprofits have less security on their website than they think they do.”
In the article and a phone interview, Walker highlighted some of the chief vulnerabilities nonprofits face:
- Websites and e-commerce pages are a low priority. “They’re not considered a very important part of the business,” Walker said. The Chronicle of Philanthropy adds that website security costs money, worrying some donors. “Donors want nonprofits to spend only a certain amount of money on overhead, but they don’t realize that they’re putting their own contributions under threat.”
- Ministry websites are often revised by multiple employees and/or a changing cast of volunteers, not all of whom have been trained in proper security measures.
- Employees who lack training may be tricked into responding to Phishing, “the fraudulent practice of masquerading as a reputable company in order to trick others.” Catholic Relief Services, which experienced an attack in 2017, now regularly tests employees to help rebuff attacks.
- Many ministry websites use WordPress software, which has vulnerabilities in its core programs, as well as in outdated themes and plug-ins.
- Well-maintained websites have better-than-average domain authority. This, along with websites’ donation forms, are appealing to hackers.
Even with proper prevention, “it’s not really possible to prevent websites from being hacked, otherwise billion dollar companies would not be hacked,” Walker said. That’s why recovery is important.
Equally important: how hacked ministries respond to donors who are exposed to hassles and potential identity theft. As the Chronicle reported: “If an organization suffers a breach because it was careless with data, donors may flee.”
Main photo: Unsplash / Creative Commons