Lessons Learned from the GiveSendGo Hack

Lessons Learned from the GiveSendGo Hack

GiveSendGo was started in 2013 as a small company designed to service the niche market of fundraising
for Christian causes. As GoFundMe started to react to political pressures in regards to some of its
controversial campaigns, GiveSendGo began receiving more attention as a possibility for crowdfunding
needs. The trickle of interest became a groundswell when GoFundMe refused to follow through with a
campaign intended to fund the Canadian protest known as the Freedom Convoy. Overnight, this small
tech company became the center of attention as fundraising efforts shifted to the site, creating chaos as
thousands attempted to access the platform to contribute.

Meeting the demands of such a sudden influx of customers was not the only challenge for GiveSendGo.
Participation in such a controversial campaign also made the company a prime target for sophisticated
hackers. Not only was the personal private information of over 90,000 donors obtained and leaked to
various media outlets for publication, the site was also redirected to a new URL which featured a looped
video from Disney’s film Frozen.

The previous week the site was alerted to insecure configurations of its Amazon S3 bucket used for
hosting online files. The tech researcher became aware of the vulnerabilities by examining the source
code for the website and notified the company. GiveSendGo quickly set about repairing the breaches
but the potential for exposure of gigabytes of user data had already taken place. The successful hacking
of the company the following week indicates that this was not the only weakness within the company’s
security protocol.

So what lessons are there to be learned from this scenario? First would be the need to attend to
information security issues no matter the size of your company. Not all companies will attract such
attention and exponential growth overnight, but robust security practices are the bedrock on which all
other matters come second. Consumers of tech services deserve to have their personal and private
information treated with the utmost care. Exposing your organization and clients to such risks can cause
irreparable harm, wiping out all of the important work that has gone into establishing the operation in
one fell swoop.

Second would be to pay close attention to how your systems work with third-party services. It is
incorrect to assume that your technology is secure because you have relationships with highly regarded
companies. Your information security practices should include a comprehensive approach to your
systems including your third-party associations.

A cybersecurity partner like Asteros can be an invaluable tool for ensuring your small-
to-medium business or association does not fall prey to hackers. We specialize in offering the
customized solutions, that are often needed in niche markets, at an affordable price. You can begin by
signing up for our free, no-strings-attached, attack surface audit.