YMCA Cyber risk

It took YMCA NSW 20 days and a substantial amount to recover from the ransomware cyber attack that crippled its computer systems in August 2019. The not-for-profit youth organisation has a $70m a year turnover, serves more than 40 communities and employs more than 2000 people. Its services include gymnastics classes, swimming lessons, camping, out-of-school-hour centres and youth and community services. If the cyber attack had forced the organisation to close its doors, around 15,000 families in NSW would have been affected.

There’s never a good time for a cyber attack — and for the YMCA, August was particularly challenging. Chair Richard Hughes MAICD and CEO Susannah Le Bron were in London for a global conference of the international Y Group (to which all international YMCAs belong). Deputy chair Shirley Chowdhary GAICD was in Arnhem Land attending the Garma Indigenous culture festival, and the organisation was between IT managers with a contractor running the show.

Reflecting on the attack, Chowdhary, acting chair at the time, notes: “In the not-for-profit world there is an assumption you won’t be targeted by cybersecurity attacks. It crippled us for three weeks.”

The now-rebranded Y NSW is a sizeable organisation, but as a not-for-profit had considered itself an unlikely target for cyber attack. Nevertheless, it had decent systems hygiene, made regular back-ups, and was planning to move key systems to the cloud. The board had addressed the issue of cyber risk directly through its risk, audit and finance committee, and had recommended taking out cyber insurance earlier in 2019.

YMCA NSW also had disaster recovery and business continuity plans and, following the Royal Commission into Institutional Responses to Child Sexual Abuse, had developed a critical incident response plan it was able to use. Although the critical incident response plan did not directly address a cyber attack, the board from the outset determined that in alignment with organisational values, ransom would never be paid.

Chowdhary had worked previously with technology services business Servian and called one of the partners there for advice. The YMCA board and executive team expedited communications and decision-making. They met daily from the Monday with critical incident team meetings held every morning and afternoon. Chowdhary dialled in to board meetings from Arnhem Land, while Hughes and Le Bron called in from London.

According to Andrew Gemmell, head of cybersecurity at Servian, that rapid and clear engagement of the board was critical. “One of the keys to the success of this was just how strong the inside communications were,” says Gemmell. “There were regular board meetings and they [directors] made sure they were available and aware to make decisions very quickly.”

Chowdhary quickly posted a letter detailing the attack on the website. Although no personal information was compromised or lost, the YMCA used social media to keep stakeholders fully informed.

Chief operating officer Lisa Giacomelli strove for transparency. “I kept sending emails to keep a clear paper trail so that every aspect of our management of the incident was documented,” she says.

“Directors made sure they were available and aware to make decisions very quickly.” Andrew Gemmell, Servian

Y staff had to work on personal computers and devices, some had to work from home while all worked round the clock to rebuild systems and operate the Y’s extensive businesses manually.

CFO Jenny Woodward says since the attack, the organisation has refreshed its disaster recovery and business continuity plans, ensuring copies are printed and stored offsite, implemented an information security charter, boosted cyber education for staff and IT professionals, invested in systems monitoring and event detection services, and now has a three-year IT strategy and a roadmap that emphasises security.

Servian worked with Y staff to ensure systems were restored in order of criticality. According to Chowdhary, “There was a business opportunity loss, business continuity issues... a whole host of compliance issues. The main lesson is that cybersecurity attacks can happen to anyone.”

Cases such as these are a reminder for directors to be proactive with data security, says Scott McKean, chief security officer of IT firm Interactive. “Board members should ask about the effectiveness of their incident response plan: how quickly the business can detect and respond to an incident, what the implications and potential damage from any breach are; and what level of cyber insurance or other contingencies do they have in place.”

Lessons for the organisation

  • Engage in cybersecurity education for all staff and IT professionals.
  • Assess the configuration of the network for potential weaknesses.
  • Invest in modern cybersecurity technology, including monitoring and event detection services designed to arrest the spread of a cyber attack.
  • Regularly revisit disaster recovery and business continuity plans, ensuring contacts are current and printed copies of the plans accessible offsite.
  • Identify executives who will be responsible for communicating with official bodies following a data breach or cyber attack.

Lessons for the board

  • Ensure board members understand the risk of cyber attack and its potential consequences.
  • Address cybersecurity explicitly in relevant board committees.
  • Review insurance cover regularly, including business continuity and specialist cyber insurance.
  • Seek regular cybersecurity updates at board meetings from IT leadership regarding systems resilience and current risk landscape.
  • Determine how the organisation could continue to meet its financial obligations and pay

Resources for directors

AICD’s Cyber for Directors course enables participants to effectively engage as a board to identify evolving threats and risks to their organisation. The course is suitable for:

  • New and existing directors seeking a greater understanding of cyber.
  • Directors planning to protect and strategically use their company data and information.
  • CEOs, managing directors, chief information officers/IT managers/chief information security officers who report to their boards on cyber.

Note: prior governance knowledge is essential.

Diary of a ransomware attack

  • Sunday 4 August 2019 9AM, Sydney – Chief operating officer Lisa Giacomelli, (acting CEO) is notified the point-of-sale system isn’t working. More calls follow. “In under an hour, we knew we were in serious trouble — we had nothing,” says Giacomelli.
  • Sunday 4 August 9AM, East Arnhem Land – Deputy chair Shirley Chowdhary, is at the Garma Indigenous culture festival in Arnhem Land. When she turns on her phone that morning, it rings immediately. Giacomelli tells Chowdhary something’s gone very wrong with the YMCA’s computers and no-one can use the system. Chowdhary needs to work fast and touch base with management. She is also acting chair of YMCA NSW because chair Richard Hughes, along with CEO Susannah Le Bron, is attending a global Y conference in London.
  • Sunday 4 August 12PM, Melbourne – Servian head of cybersecurity Andrew Gemmell, takes a call from one of the firm’s partners, who has received a call from Chowdhary. The partner outlines the situation to Gemmell, who then calls YMCA’s acting IT manager for details.
  • Sunday 4 August PM, Sydney – IT specialists start work in the YMCA, data centre and, in round-the-clock shifts during the next two days, find evidence of Ryuk ransomware (which has been associated with North Korea) on its computers. They try to restore systems while preserving digital forensic evidence.
  • Monday 5 August AM, Sydney – YMCA board meets,. Chowdhary dials in from Arnhem Land, the chair and CEO from London. The board decides not to contact attackers (the quantum of the ransom was hence never revealed) and recommends Servian continues to work on the problem. YMCA critical incident response team (executives and external specialist consultants) reviews what has happened to ensure mistakes are not replicated during the recovery process. Most YMCA services remain open, operated manually. Attack is reported externally, including to AFP, Australian Privacy Commissioner, NSW government and regulators.
  • Tuesday 6 August, Sydney – IT specialists realise they can’t reverse the encryption, triggered by the ransomware, but the board determines that they will not pay a ransom and recommends the systems are rebuilt from scratch. The regular back-up and disaster recovery centre have also been encrypted in the attack, but a back-up to tape — completed on 2 August — remains intact. YMCA IT team and specialists rebuild the systems using the data on the tapes.
  • Wednesday 7 August, Sydney – Chowdhary announces, on website/social media that the Y was subject to a ransomware attack and is working with cybersecurity experts to determine the cause and ensure systems are operational as soon as possible The communication makes clear no customer or other data was compromised.
  • Friday 9 August, Sydney – The core system, running YMCA children’s centres is moved to a cloud-based solution to restore services.
  • Monday 26 August AM, Sydney – All YMCA systems, are restored and fully operational.