Cybersecurity Insight

Short Report: Why Associations Need Cyber Security

10 Jan

Think your association isn’t appealing to hackers? Think again.

Associations are consistently the most at-risk organizations to be hit by cyber attacks simply due to the sheer volume of data they own, from membership and partner data to sponsor and vendor financial information. Associations are prime targets for hackers, and a cyber attack on an association can result in reputational damage, consequential costs, and loss of members. Whether you’re running a membership renewal, planning a conference, storing large amounts of data, or adjusting to temporary spikes in web-traffic, it’s imperative that your network, applications, and your Association Management Software (AMS) system are always secure and performing efficiently so that your critical information is safe.

With that said, some associations are starting to invest in a cyber security strategy. Others, not so much. Listed below are associations that have been hacked in the last year:

American Bankers Association

  • What was stolen? Shopping cart user names, passwords and email addresses
  • How many victims did the attack claim? 6,400 ABA account users
  • What was the response? The American Bankers Association identified the problem in their website’s shopping cart application and began working with a local cyber security firm to understand the crux of the issue and how to prevent future instances from occurring

Orange County Employees Association

  • What was stolen? Member names, addresses, dates of birth, Social Security numbers, driver’s license numbers, payroll information, insurance enrollment information, retirement statuses, usernames, passwords, and information concerning dependents.
  • How many victims did this attack claim? Undisclosed, but included association members, non-members, Health & Welfare Trust participants, staff, dependents of any of these individuals, and others.
  • What was the response? The attack had been underway close to two months before it was discovered in parts of the OCEA network. The victims were offered credit monitoring, identity theft restoration, and insurance services for up to one year

Direct Marketing Association

  • What was stolen? Information from debit or credit cards used on the association website’s bookstore, with information including the names, account numbers, security codes, and expiration dates printed on the physical cards
  • How many victims did this attack claim? Undisclosed
  • What was the response? After discovering malware on their association server – maintained by an undisclosed third party vendor – One year of credit monitoring services to the victims affected at no cost

Jefferson National Parks Association

  • What was stolen? Debit and credit card numbers from two stores at the Gateway Arch, namely The Levee Mercantile and The Museum Store
  • How many victims did this attack claim? Undisclosed
  • What was the response? After the malware was discovered close to six months after it was installed on point-of-sale machines at the gift shops in question, investigators were able to trace the original attack point to a terminal that was initially situated outside of the association’s purview and at a third party vendor site.

A few key points to keep in mind – third party vendors played a significant role in at least two of the four highlighted association cyber attacks. That being said, associations are just as vulnerable to the very same attacks that threaten for-profit businesses on a daily basis. Having a company such as Neovera as your experienced cyber security protection team allows for peace of mind. We have over 15 years of experience in the field and are able to identify risks and outline specific, actionable steps to improve your cyber security posture. Your association, its data, and critical systems are completely protected as we pinpoint security threats inside and outside of your environment, and implement the necessary measures to prevent breaches and data loss. Bottom line: We protect your association from cyber attacks.