Archive for August, 2019

August 1, 2019

How Fundraisers Can Avoid 5 Big Mistakes Made by Capital One

Don’t worry. This post really is not about data security. It’s about much more. And I’ve written it for you, a fundraising professional.

But first, here’s some background:

Capital One, the tenth largest banking institution in the USA, announced it has experienced a major data breach involving the personal information of credit applicants and customers. In its official statement, the bank disclosed, “Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada….This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.” In addition, about 140,000 Social Security numbers were compromised. One million of Capital One’s Canadian customers had their Social Insurance Numbers compromised.

The Capital One story presents the nonprofit sector with an opportunity to learn from someone else’s problem. Every charity should learn from the five mistakes made by the bank:

1. Inadequate Data Protection

While Capital One works with Amazon Web Services, AWS says it was not compromised. The hacker exploited Capital One’s own system. The US Federal Bureau of Investigation has a former AWS employee, Paige A. Thompson, in custody. The investigation is likely continuing. What we know for certain at this point is that Capital One’s data protection systems were not up to the task.

As a fundraising professional, I don’t have any idea about what sophisticated data protection tools exist. I suspect you don’t either. However, you have an obligation to make sure that your organization seeks out the expertise to safeguard the organization’s data. Furthermore, you need to make sure your organization has a policy about who has access to data and under what circumstances. I know you won’t have the security systems of a bank, but you do have an obligation to have reasonably robust security protocols in place.

2. Lack of Timely Reporting

The personal data of Capital One credit applicants and customers was compromised from March 22-23, 2019. The company didn’t learn of the breach until July 19. The bank did not reveal this information to the public until July 29. We do not know if the FBI requested that the bank withhold news of the event pending an arrest. If so, the reporting delay is understandable. Nevertheless, the delay from the date of the incident to the date of disclosure was significant, even if it wasn’t the result of an actual mistake.

Fine wine improves with age. Problems do not. Whenever bad news is likely to become public or should be made public, it’s important to do so as soon as possible. This is true for both for-profit and nonprofit organizations. Getting the information out quickly and fully will help the organization preserve or, perhaps, even enhance its credibility.

3. Not Getting Out in Front of the Story

Once Capital One released the news, it did so haphazardly, despite having had 10 days to plan the disclosure roll-out. It issued a press release at 7:11 PM ET on July 29. By 7:41 PM ET, The Wall Street Journal website carried the news story. Other media outlets ran the story around the same the time. However, Capital One did not tweet the news until 8:43 PM ET. Therefore, when I first checked the Capital One Twitter feed, there was no mention of the story.

Even once the company addressed the general public, rather than just the news media, it did so with a bland tweet that simply read, “If you want to learn more about the Capital One cyber incident, please visit” along with a link to its press release and Frequently Asked Questions page.

The company did not issue an eye-catching alert. The company did not disclose the nature of the “incident.” The innocuous language and low-key look was also used at the top of the Capital One homepage. Assuming they actually spotted the mention, readers had to click through to the press release to find out what happened and, then, to the Frequently Asked Question page for additional information.

If something goes wrong at your organization, make sure you deliver your message on all the communication platforms your organization uses. Make it easy for folks to spot the information. Furthermore, make it easy for them to get more information by giving them a number to call or an email address, perhaps setting up both as hotlines for the occasion.

Capital One could have provided the public with the news without forcing folks to click through to the press release and then click over to the FAQ page. The bank could have also tweeted out tips for how its customers can protect themselves. Instead, the company is making people work a bit for the information. Don’t make the same mistake. Get people the information they need when they need it, and make it easy for them.

When something goes wrong involving your organization, whether or not it is to blame, you need to get out in front of the story in as coordinated a way as possible. At the point you alert the media, be prepared to take your message directly to the general public at the same time.

read more »

%d bloggers like this: