How the Target Breach is Affecting Non-Governmental Organisations

During a recent webinar, treasurers for non-governmental organisations (NGOs) discussed ways that the pre-Christmas security breach at US retailer Target could immensely impact their operations – in some ways more so than any other industry.

Sassan Parandeh, CTP, treasurer for ChildFund International noted that the Target breach is the second largest cyber attack in history. The largest is still the breach of Heartland Payment Systems in 2009, which resulted in 130m cards being compromised. However, Target is largest breach on the retail side and has resulted in millions of cards being cancelled and replaced.

Parandeh emphasised that one of the most important developments following the breach was the unprecedented response from banking industry. In the past, banks would typically only replace cards when they were lost or when a fraud had occurred. But in this instance, many banks cancelled cards before any fraud is actually reported. “We are living in a new paradigm,” he said. “They said anyone who has used their credit cards between 27 November and 15 December, we will their cancel cards, and we’re going to send the bill to Target.”

This presents a substantial problem for NGOs, which take a lot of recurring payments. When cards are cancelled and customers do not voluntarily update their information, automated giving plans can be completely disrupted.

Of course, NGOs can call customers and update the information. But this also carries a risk. “We all know that by calling someone and asking them to update their credit card information, there is a threat of cancellation,” said Parandeh. “We are in an industry where people choose to give us money. We are not Verizon; we are in the choice business. Target has pretty much shot a bullet in our bucket of cash.”

Additionally, even if the card information has been updated, previously failed payments can create questions. “Let’s say the February payment has failed,” Parandeh said. “When we go out to collect March payment, do we take both payments and risk angering a customer, or only take the March payment?”

Risk Mitigation

So what can NGOs do to mitigate this risk? Parandeh noted that NGOs may want to consider outsourcing their credit card processing. Target – the second largest retailer in the US – was easily overcome by 17-year-old and a 23-year-old cybercriminals. All NGOs are significantly smaller and have less IT resources. Therefore, they might do better to let a third-party handle card data.

NGOs may also want to look into account updater services, though these have significant limitations. Visa and MasterCard are the only card companies that offer these services, and they only repair data from participating card issuers. There may also be delays, resulting in the missing of some monthly payments.

Cyber insurance provides a degree of protection, but NGO treasuries should reassess their current coverage. “Does our cyber insurance cover you adequately?” Parandeh asked. “You may have to optimise your cybercrime insurance. Do you have an ability to go to your insurer and say ‘I have been impacted by this amount?’”

In January, ChildFund, saw a 1% increase in the amount of cards that failed. The NGO also saw a half a percent increase in February. ChildFund attributes these increases to the Target breach. “We hope that in March our numbers show an improvement,” Parandeh said. “But there certainly is an impact and this impact is different than everybody else because we are in the NGO sector.”


Related reading