Key Takeaways
- ›Nonprofits are not low-value targets — donor PII, payment data, and beneficiary records are exactly what attackers monetize.
- ›Real organizations have been hit: the Red Cross (515,000+ vulnerable people exposed), Blackbaud’s 2020 ransomware reached roughly 13,000 client organizations, and Save the Children was tricked into wiring nearly $1 million.
- ›The tactics are ordinary — business email compromise, phishing, ransomware, and unpatched third-party software — not exotic, nation-state-only tools.
- ›Most of the defense is affordable and mission-protecting: MFA, EDR, tested backups, prompt patching, and staff training.
There’s a comforting story nonprofits tell themselves: We’re a charity. We don’t have money. Who would bother attacking us? It’s a myth — and it’s the exact assumption attackers count on. A nonprofit’s database is full of the things cybercriminals want: names, addresses, email logins, payment-card and bank details, and in many cases sensitive information about the vulnerable people the organization serves. Combine valuable data with leaner security budgets and a culture built on trust, and nonprofits become an attractive — and softer — target.
Why Attackers Target Nonprofits
Nonprofits sit at an uncomfortable intersection: they collect sensitive data at scale but rarely fund security the way a similarly sized company would. A few reasons they end up in the crosshairs:
- Valuable data. Donor and member PII, payment and bank details, and sometimes health or beneficiary information — all of it sells.
- Money in motion. Grants, donations, and vendor payments mean frequent transfers, which is exactly what business email compromise is built to hijack.
- Thin budgets and staff. Few organizations have dedicated IT or security people; many run on volunteers, donated equipment, and older systems.
- A culture of trust. Openness and helpfulness are nonprofit strengths — and the precise traits social engineering exploits.
- Heavy reliance on third parties. CRMs, fundraising platforms, and cloud tools hold your data — so a breach at one of them becomes your breach.
Real Nonprofits, Real Breaches
These aren’t hypotheticals. Some of the most recognizable names in the nonprofit world have been hit — in ways that map directly onto smaller organizations.
Blackbaud (2020) — one vendor, thousands of nonprofits
In May 2020, Blackbaud — one of the largest software providers to nonprofits, schools, and foundations — was hit by ransomware. Attackers exfiltrated more than a million files before encrypting systems, and the stolen data touched roughly 13,000 of Blackbaud’s client organizations: donor names, contact details, giving histories, and in some cases Social Security numbers and financial information. Most of those nonprofits did nothing wrong — they were breached through a vendor they trusted. Blackbaud later agreed to a $49.5 million settlement with 49 states and a separate $3 million settlement with the SEC. The lesson: your data is only as safe as the platforms you hand it to.
The Red Cross (2022) — one missed patch, 515,000 people
In early 2022, the International Committee of the Red Cross disclosed a breach that exposed the personal data of more than 515,000 highly vulnerable people — individuals separated from their families by conflict, disaster, and migration. Attackers got in by exploiting an unpatched critical vulnerability in a third-party authentication tool, then quietly stayed inside the network for roughly two months. The sophistication pointed to a state-sponsored group. The takeaway for any nonprofit: a single missed patch on an internet-facing system can hand attackers the keys — and the people who suffer are the ones you exist to protect.
Save the Children (BEC) — nearly $1 million, no malware
Save the Children Federation lost real money to one of the most common attacks of all: business email compromise. A criminal took over an employee’s email account and used it to push through fraudulent transactions, redirecting close to $1 million. The organization recovered most of it through insurance but still absorbed roughly $112,000 in losses. No malware, no ransomware — just a compromised inbox and a convincing request to move money.
The Tactics Used Against Nonprofits
Notice what the examples above have in common: none of them required exotic, movie-villain hacking. The same handful of tactics shows up again and again.
- Business email compromise. An attacker takes over or spoofs a staff, executive, or vendor inbox and requests a wire transfer or a change to payment details. This is how Save the Children lost money.
- Phishing and social engineering. Fake login pages and urgent emails that harvest passwords — the entry point for the majority of breaches.
- Ransomware. Data is stolen and encrypted, with a demand to pay. Whether you recover quickly depends almost entirely on your backups.
- Third-party / supply-chain compromise. Your CRM, fundraising platform, or IT vendor gets breached — and your donor data goes with it, as Blackbaud’s clients learned.
- Unpatched vulnerabilities. Internet-facing software left un-updated is an open door — exactly how the Red Cross was breached.
What Las Vegas Nonprofits Should Do
The good news: the defenses that stop these attacks are practical and affordable. You don’t need an enterprise budget — you need the essentials done consistently.
- Turn on MFA everywhere. Email, your CRM and fundraising tools, cloud apps, and remote access. It is the single highest-impact step against stolen passwords and account takeover.
- Put EDR on every device. Modern endpoint detection catches the behavior traditional antivirus misses — credential theft, ransomware staging, and living-off-the-land activity. (It’s a core part of our cybersecurity services.)
- Back up — and test the restore. Keep immutable or offline copies attackers can’t encrypt, and actually practice restoring them so a ransomware hit is a bad day, not the end. Our business continuity solutions are built around tested recovery.
- Verify money movement out of band. For any wire, payment-detail change, or “urgent” transfer request, confirm by phone using a number you already have — never by replying to the email.
- Patch promptly, especially anything internet-facing. The Red Cross breach started with one missed update. Keep systems and third-party tools current.
- Train your people and your volunteers. Most breaches start with a click. Short, regular security-awareness training is cheap insurance.
- Vet your vendors. Ask your CRM, fundraising, and IT providers how they protect your data — and what happens if they’re breached.
None of this requires a Fortune 500 budget. For most Las Vegas nonprofits, the protective layer above costs a fraction of what a single incident would — and it protects the mission, the donors, and the people you serve.
Talk to Brydan
Is Your Mission Protected?
Brydan helps Las Vegas nonprofits get the essentials right — MFA, EDR and security monitoring, tested backups, patching, and staff training — without overspending or overcomplicating it. We work with lean teams and tight budgets, and we explain everything in plain English.
About the Author
Brydan Solutions is a veteran-owned, minority-owned managed IT and cybersecurity provider based in Las Vegas, serving Nevada businesses since 2002. Our team manages IT, cybersecurity, Microsoft 365, and business continuity for small and mid-sized organizations across the Las Vegas Valley and remotely nationwide. Learn about our team or talk to a real person.
Continue Reading
