Everything was missing. Client files, financial data — all gone one Wednesday morning from the servers of Cancer Services of East Central Indiana.
The small, Muncie-based nonprofit’s good work hadn’t prevented them from falling victim to a cyberattack like those that locked computers around the world last week.
The organization, also known as Little Red Door, was hacked in January and, months later, is still recovering.
Executive Director Aimee Robertson-Fant says the group couldn’t figure out what happened to their data when it went missing from the server.
What hackers did was “diabolical”
Adding to the confusion, she says, her staff started getting strange text messages “saying that ‘they were going to be our new best friends’ and that ‘they were going to help us.’ ”
Next came the email, with the subject, “Cancer Sucks, But We Suck More!”
“It was diabolical. It was cruel,” Fant says. “They were brutal.”
Hackers accessed the nonprofit’s server after a staffer inadvertently downloaded malware from an email. The hackers wanted 50 bitcoin, or what was then about $43,000, to return the data and keep it private.
“I hate to use the word traumatic, but it was,” Fant says. “You just don’t understand what’s happening, you just — it’s sort of an out of body experience, where we just couldn’t figure out why someone would be doing this to us.”
Fant says the FBI told her they’ve been investigating this group of hackers, and that they probably wanted sensitive information, such as bank account or social security numbers.
Hackers published private letters
But Little Red Door doesn’t keep anything like that on file, Fant says. So when they decided not to pay the ransom, the hackers posted what they did have.
“It was pretty despicable,” Fant says. “We send out grief letters to families [of] clients who have passed away, and they did publish some grief letters — on Twitter.”
Michael Wolfe, chief technology officer of Muncie-based software firm Ontario Systems, says organizations like Little Red Door are “only secure as your weakest link in the chain,” making them susceptible to hacking.
“So you need to be prepared for what you will do if that happens,” he says, “because the likelihood of that happening is increasing daily.”
Wolfe volunteered to help Little Red Door secure what data they could. But they couldn’t recover everything.
Fant says her staff has spent months painstakingly entering client information, from handwritten notes and manila folders piled and filed all over the office, back into their computers.
Patient advocate Diana Rinker has been cheerfully leading that effort.
“I have a month of back data to enter,” she says. She hoped to finish it that day. Then, she says, “we’ll be caught up on this end.”
Rinker was herself diagnosed with cancer just before the hack. She says she’s been on data entry duty between rounds of chemotherapy.
“It’s made it a little stressful,” she says. “But it’s so nice when our clients come in, because we’ve not had one client that hasn’t been understanding.”
Lesson for small businesses
Little Red Door has struggled since the hack with more than just paperwork. Without all their data in hand they haven’t able to get much of the grant funding that pays their bills.
Michael Wolfe, the software company CTO, says there’s a lesson here for small nonprofits and businesses.
“Stop. Sit down with your board. … and think through some questions about: What is your IT infrastructure? Where do you store data? What is your data?” he says. “I’m sure that there are improvements to be made that could prevent devastation.”
Hackers don’t discriminate, he says, and no matter how small your business or how noble your nonprofit’s mission, you could be vulnerable.