January 25, 2018; IRIN News

As the use of technology and databases has become standard practice in nonprofit organizations, all nonprofits need to implement appropriate security measures to protect the sensitive data of its constituents. NPQ has seen numerous cases over the years of data breaches that resulted in consumer and donor data being leaked. It is easy to assume that these security issues are faced by smaller grassroots organizations that may not have the capacity to put the proper safeguards in place; however, we have seen cases of national organizations and health systems that have accidentally released sensitive data. Those of us in the field may like to think that nonprofit organizations are immune to cybersecurity risks; why would anyone want our data? The reality is, nonprofit organizations collect incredibly sensitive information about its constituents and donors, which can include social security numbers, credit card information, and medical information.

Knowing this, the United Nations World Food Program’s (WFP) adoption of its centralized database, SCOPE, is particularly concerning. SCOPE is described as “the WFP’s beneficiary identity and benefit management system.” Essentially, it is a cloud-based database that collects and stores data about the individuals served through WFP’s programs around the globe. The benefit of this database is that it allows WFP to standardize data collection among its programs and quickly gain access to information, which results more efficient and timely distribution of resources.

A success story featured on WFP’s website discusses how SCOPE has helped farmers in the Philippines. Through use of SCOPE, farmers requiring food assistance receive an electronic ID card that allows them to claim food assistance through WFP and lets WFP to monitor and evaluate its program. Moreover, the portability of the system allows WFP to serve the farmers where they are. One farmer said, “This registration was much faster than I expected. I also appreciated that it was conducted in a nearby barangay. We didn’t have to travel far from our homes or spend money to be able to register and participate because registration took place near us.” The success of this WFP program demonstrates how technology can revolutionize a program and allow organizations to serve more people.

This success, however, needs to be taken with a grain of salt. Use of an electronic identity management system without proper security can cause further harm to those who are already vulnerable. SCOPE, which stores the information of millions of people, failed an internal audit that identified security risks it needs to address. According to IRIN, the journal that released the story, “Data specialists contacted by IRIN were alarmed but not shocked at the report. ‘This set of findings screams ‘accident waiting to happen,’ as well as a lack of understanding by senior [WFP] management’ of [what is] going on with their data at the country level.’”

The audit rated SCOPE “partially satisfactory/major improvement needed.” Among the risks noted by the audit, they specifically called out medium risk for “identification and management, including for fraud and/or corruption” and a high risk for “data integrity, security, protection and privacy.”

Not only does SCOPE operate in a manner that is inconsistent with WFP’s own data protection policy, the audit discovered that “beneficiaries did not give their informed consent to the use of personal data, and data was routinely copied without encryption or password protection.” With the WFP using SCOPE for identity management, and in doing so collecting all the information needed to identify a beneficiary—including fingerprints—the lack of safeguards in place is disturbing.

It is important to remember that the WFP’s SCOPE security issue is not an isolated case. Most nonprofits collect sensitive information about some of the most vulnerable people in the world. It is the duty of the nonprofit to not only collect the appropriate information for service delivery, but also to ensure this information is kept safe.— Sheela Nimishakavi