UK arm of international charity the Salvation Army hit by ransomware attack • The Register
UK arm of international charity the Salvation Army hit by ransomware attack
Christian org becomes latest victim of latter-day IT scourge
Gareth Corfield Wed 30 Jun 2021 // 10:25 UTC
51 comment bubble on white
EXCLUSIVE Criminals infected the Salvation Army in the UK with ransomware and siphoned the organisation's data, The Register has learned.
A Salvation Army spokesperson confirmed the evangelical Christian church and charity was compromised, and said it alerted regulators in the UK. She told us:
“We are investigating an IT incident affecting a number of our corporate IT systems. We have informed the Charity Commission and the Information Commissioner’s Office, are also in dialogue with our key partners and staff and are working to notify any other relevant third parties.”
She continued: “We can also confirm that our services for the vulnerable people who depend on us are not impacted and continue as normal.”
The Salvation Army refused to give any further information, such as the identity of the criminal attackers, or the volume and type of data accessed by the them. To date, nothing has emerged on known ransomware gang sites.
Sally Army staff and volunteers should keep a close eye on bank statements for mysterious transactions, and for correspondence suggesting new accounts have been opened with financial service providers. Ransomware gangs typically resell stolen information to other criminals for further exploitation.
Jake Moore, a cyber security specialist with Slovakian antivirus firm ESET, told The Register: “It is vital that those who could be at risk are equipped with the knowledge of how to mitigate further attacks. The first few days and weeks after a breach are the most important, as criminals will be quick to take advantage of the situation and strike while they still can.”
The Reg was told by sources that the Salvation Army first became aware of the attack around a month ago, which we are told affected a London data centre used by the organisation.
Army reserves
According to its full accounts for the year 2020 the two charity trusts registered by the UK arm of the org registered revenues of £240.822m and £160.4m respectively.
Fund balances brought forward for the SA Trust were £631.16m as of 31 March 2020 and for the SA Social Work Trust, general reserves amounted to £8.2m.
The UK arm of the charity - which has branches worldwide - calls itself "the largest provider of welfare services in the UK after the government". The Salvation Army won a £280m 2020 Modern Slavery Victim Care Contract with the Home Office last year. Under the deal, the SA provides "accommodation, support and assistance to potential victims of modern slavery and human trafficking to assist in their recovery" from June 2020 until June 2028.
It also does public sector work in other countries, notably France, Canada and the US. Forbes estimates it as the fourth largest charitable org in the US, with annual revenues of $3.3bn, $2.2bn of which is privately donated.
Home working
In 2018, the Salvation Army in the UK told Charity Digital it had replaced its PC-based network with a Citrix Virtual Desktops system, allowing workers to connect to its IT system securely from a range of devices, including Dell Qyse thin-client terminals set up for home working.
“Those who may believe they have had their details taken ... must contact their banks to add extra fraud protection and to be on guard for extra attempts such as unsolicited calls or emails phishing for extra information,” added ESET’s Moore.
Other infosec industry sources suggested that the Conti or Pysa ransomware gangs might have been behind the attacks. Conti was the strain of ransomware deployed by the WizardSpider gang, who perpetrated the Irish Health Service attack, which came within a whisker of paralysing Irish hospitals as staff were forced to fall back to paper-based processes from the pre-computer era.
Pysa, meanwhile, has been seen targeting schools and other such “soft underbelly” targets — and was also the criminal crew behind the Hackney Council hack late last year.
An ICO spokesperson confirmed the Salvation Army had reported an incident to it and told us: “People have the right to expect that organisations will handle their personal information securely and responsibly. If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response.”
The Charity Commission told us: “In line with our guidance, the charity has submitted a serious incident report in relation to this matter. We are currently assessing this information and cannot comment further at this time.”
Christian org becomes latest victim of latter-day IT scourge
Gareth Corfield Wed 30 Jun 2021 // 10:25 UTC
51 comment bubble on white
EXCLUSIVE Criminals infected the Salvation Army in the UK with ransomware and siphoned the organisation's data, The Register has learned.
A Salvation Army spokesperson confirmed the evangelical Christian church and charity was compromised, and said it alerted regulators in the UK. She told us:
“We are investigating an IT incident affecting a number of our corporate IT systems. We have informed the Charity Commission and the Information Commissioner’s Office, are also in dialogue with our key partners and staff and are working to notify any other relevant third parties.”
She continued: “We can also confirm that our services for the vulnerable people who depend on us are not impacted and continue as normal.”
The Salvation Army refused to give any further information, such as the identity of the criminal attackers, or the volume and type of data accessed by the them. To date, nothing has emerged on known ransomware gang sites.
Sally Army staff and volunteers should keep a close eye on bank statements for mysterious transactions, and for correspondence suggesting new accounts have been opened with financial service providers. Ransomware gangs typically resell stolen information to other criminals for further exploitation.
Jake Moore, a cyber security specialist with Slovakian antivirus firm ESET, told The Register: “It is vital that those who could be at risk are equipped with the knowledge of how to mitigate further attacks. The first few days and weeks after a breach are the most important, as criminals will be quick to take advantage of the situation and strike while they still can.”
The Reg was told by sources that the Salvation Army first became aware of the attack around a month ago, which we are told affected a London data centre used by the organisation.
Army reserves
According to its full accounts for the year 2020 the two charity trusts registered by the UK arm of the org registered revenues of £240.822m and £160.4m respectively.
Fund balances brought forward for the SA Trust were £631.16m as of 31 March 2020 and for the SA Social Work Trust, general reserves amounted to £8.2m.
The UK arm of the charity - which has branches worldwide - calls itself "the largest provider of welfare services in the UK after the government". The Salvation Army won a £280m 2020 Modern Slavery Victim Care Contract with the Home Office last year. Under the deal, the SA provides "accommodation, support and assistance to potential victims of modern slavery and human trafficking to assist in their recovery" from June 2020 until June 2028.
It also does public sector work in other countries, notably France, Canada and the US. Forbes estimates it as the fourth largest charitable org in the US, with annual revenues of $3.3bn, $2.2bn of which is privately donated.
Home working
In 2018, the Salvation Army in the UK told Charity Digital it had replaced its PC-based network with a Citrix Virtual Desktops system, allowing workers to connect to its IT system securely from a range of devices, including Dell Qyse thin-client terminals set up for home working.
“Those who may believe they have had their details taken ... must contact their banks to add extra fraud protection and to be on guard for extra attempts such as unsolicited calls or emails phishing for extra information,” added ESET’s Moore.
Other infosec industry sources suggested that the Conti or Pysa ransomware gangs might have been behind the attacks. Conti was the strain of ransomware deployed by the WizardSpider gang, who perpetrated the Irish Health Service attack, which came within a whisker of paralysing Irish hospitals as staff were forced to fall back to paper-based processes from the pre-computer era.
Pysa, meanwhile, has been seen targeting schools and other such “soft underbelly” targets — and was also the criminal crew behind the Hackney Council hack late last year.
An ICO spokesperson confirmed the Salvation Army had reported an incident to it and told us: “People have the right to expect that organisations will handle their personal information securely and responsibly. If an individual has concerns about how their data has been handled, they should raise it with the organisation first, then report them to us if they are not satisfied with the response.”
The Charity Commission told us: “In line with our guidance, the charity has submitted a serious incident report in relation to this matter. We are currently assessing this information and cannot comment further at this time.”
