When a Pennsylvania food bank fell victim to a malware attack last spring, its volunteers were stunned. The organization had served the community for decades but had never considered itself a target for hackers.
“We’re not a bank or a big company,” said its director. “We help families put food on the table. Why would anyone attack us?”
Within hours, donor data and payment records were encrypted and their operations came to a halt for
nearly a week.
Stories like this are becoming more common across the nonprofit sector. Despite handling sensitive financial and personal data, many small charities operate on razor-thin margins that leave cybersecurity out of reach. While government agencies and corporations receive billions in federal and state cybersecurity funding, community-based organizations rarely qualify. Experts are calling it the “nonprofit data divide.”
A report from the Cyber Readiness Institute (CRI) found that small to medium-sized businesses (including nonprofit organizations) face significant cybersecurity challenges due to “limited budgets, expertise, and time”. In addition to this, research shows that nearly 45% of nonprofits admit to not spending enough money on technology or investing in their cybersecurity infrastructure. Few have full-time staff dedicating to data privacy operations.
“These organizations aren’t just underfunded; they’re digitally abandoned,” says a cybersecurity researcher at the University of Maryland. “They manage sensitive donor information, but they’re excluded from most funding programs designed to protect critical infrastructure.”
The federal government’s State and Local Cybersecurity Grant Program, which distributes hundreds of millions each year to strengthen digital defenses, primarily benefits municipal and state agencies. Nonprofits, unless explicitly tied to government contracts, often don’t qualify.
“There’s an assumption that charities don’t face the same level of threat,” says the researcher. “That’s outdated thinking because hackers go where the data is easiest to steal.”
The consequences go beyond financial loss. Breaches in the nonprofit world erode public confidence and undermine missions built on trust. Donors expect their information to be safe; when it’s not, the damage reverberates. In one 2023 case, cybersecurity experts found an unsecured database belonging to DonorView, a platform used by many nonprofit organizations. The breach unfortunately revealed over a million records containing donors’ personally identifiable information (PII) such as their names, payment details, and contact information.
In another 2023 case, news reported incidents of hackers and threat agents targeting animal rescue organizations by hijacking their social media pages. Scammers posted fake donation appeals intended for these charities in an effort to entice donors to give to their scams.
Larger nonprofits are beginning to recognize the risk and act accordingly. Organizations like the Red Cross and Habitat for Humanity have invested in dedicated cybersecurity teams and data compliance protocols. But smaller charities often rely on free antivirus tools and volunteer IT support. Many assume that cloud-based systems automatically provide adequate protection which is a dangerous misconception.
“Cloud vendors are secure,” the researcher explains, “but if nonprofits don’t configure them correctly, they’re still vulnerable.”
Advocates argue that the solution lies in policy reform and resource sharing. Some states, including Maryland and Colorado, have begun pilot programs to help nonprofits access training and shared cybersecurity infrastructure. Others are calling for federal grant carveouts specifically for small charities.
“Cybersecurity should be viewed as part of operational overhead, just like accounting or insurance,” the researcher adds on. “Without it, the risk is systemic.”
For now, organizations like the food bank remain caught between goodwill and vulnerability. Their mission depends on public trust which is a fragile resource that, once broken, takes years to rebuild. As cyber threats evolve, so too must the definition of community care. Protecting donors, beneficiaries, and data isn’t just a technical necessity, it’s an ethical one.
Anne Woappi
Independent Author & Investigative Journalist
annewoappi.com 