Earlier this year, the company who supply our database, Blackbaud, was hit by a series of cyber-attacks. Blackbaud informed the Information Commissioners Office and notified all affected organisations during July 2020. Blackbaud have assured us that the issue was resolved and that the data is now secure. They have also stated that there is no need for individuals to take any action at this time. We are making this statement to explain what has happened, and what action we, and Blackbaud, have taken.
Who is Blackbaud?
Blackbaud is one of the world’s largest providers of databases and customer relationship management systems for charities and other large organisations including many universities here in the UK and North America.
Why and how was Boaz affected?
We use a Blackbaud product called eTapestry as our main database. Blackbaud have told us that the data breach included a back-up copy of our database, and so it is possible that personal and contact details and also details of your involvement with Boaz may have been accessed. No bank details or other payment information will have been accessed as this data is encrypted and stored separately.
Sometime earlier this year (between 7th February and 20th May 2020), a cybercriminal hacked into Blackbaud’s systems and accessed data containing personal information, which they offered to destroy in exchange for a payment. Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to any third parties. Blackbaud states that it has no reason to believe any data was shared beyond the cybercriminal, nor that it was or will be misused, nor will it be disseminated or otherwise made available publicly.
What has been done about this incident?
Blackbaud have carried out their own investigation into the attack with law enforcement agencies and third party cyber security experts. They assured us that they have put new measures in place to stop the specific type of attack happening again. Blackbaud have also notified the UK’s Information Commissioner’s Office (ICO).
Since we first heard about the issue, we have had direct communication with Blackbaud to gain clarity on the situation. We have sought external advice and we have also informed the ICO and we are awaiting their further guidance. In line with GDPR and our data protection policies we are in the process of contacting those who have been affected.
What do you need to do?
Blackbaud have stated that, in their opinion, this is unlikely to have any impact on individuals. However, we would always recommend that you remain vigilant and if you notice any unusual or suspicious activity that concerns you, please report it to the police.
We understand how concerning it is to receive news like this, and we are so sorry for any anxiety that this news may have caused you. If you have any questions, please do not hesitate to contact us.
Thank you for your understanding, and thank you for your support.