Blackbaud Data Breach Statement
The John Austin Cheley Foundation was notified by Blackbaud, Inc., one of our third-party service providers, that it had been the victim of a ransomware attack. Blackbaud is one of the world’s largest providers of customer relationship management systems for not-for-profit organizations. Because we take the protection and proper use and security of our community’s information very seriously, we are providing information regarding the incident at Blackbaud as part of our commitment to accountability and transparency.
In May 2020 Blackbaud discovered the ransomware attack and reported that it had been working with their Cyber Security team, independent forensics experts, and law enforcement to investigate the incident. Blackbaud further reported that it successfully locked the cybercriminal out of the Blackbaud system and data files. The cybercriminal, however, was able to remove a copy of a subset of constituent data from several of Blackbaud’s clients, including the John Austin Cheley Foundation. You can read Blackbaud’s official statement about the security incident here.
What Information Was Involved
Blackbaud confirmed its investigation found that no encrypted information, such as social security numbers, bank account, and credit and debit information, was accessible. However, data accessed by the cybercriminal may have contained public constituent information such as name, address, email address, and telephone number.
Blackbaud also confirmed that to protect constituent data and mitigate potential identity theft, it met the cybercriminal’s ransomware demand, paid the ransom, and received assurances from the cybercriminal and third-party experts that the data was destroyed. Blackbaud has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused. Based on the nature of the incident as reported by Blackbaud, their research, and third party (including law enforcement) investigation, Blackbaud believes that none of the data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What are We and Blackbaud Doing?
As part of Blackbaud’s ongoing efforts to help prevent something like this from happening in the future, Blackbaud has represented that it has already implemented several changes to protect data from any further incidents. Additional information can be found in their official statement here.
Since learning of this incident, the John Austin Cheley Foundation has been working with Blackbaud to understand the scope of the ransomware attack and the steps it is taking to prevent future data security incidents. Our leadership team is reviewing the incident very closely and will continue to evaluate our relationship with Blackbaud.
What You Can Do
We want to emphasize again that Blackbaud has assured us that no credit card, bank account, or other information of that nature was compromised. However, as a best practice, to ensure your safety against cybercrime, we recommend that you remain vigilant and report any suspicious activity or suspected identity theft to the proper law enforcement authorities. In addition, you may wish to visit www.ftc.gov/idtheft, which contains helpful tips for all online users.
We take data protection very seriously and are grateful for the continued support of our donors and friends. The privacy of our community is of the utmost importance to us. While we were not the target of this attack, nor were we the only organization affected, we wanted to make you aware of the incident and are committed to protecting your private information.
If you have any further questions or concerns regarding this matter, please do not hesitate to contact us.