Blackbaud data breach statement
29 January 2021
We want to make our supporters aware of a data breach involving one of our data providers, Blackbaud, which may have involved personal information of our supporters.
Blackbaud is an industry recognised provider of customer relationship management software which is used by more than 30,000 organisations in 60 countries. The Lucy Faithfull Foundation uses Blackbaud’s Raisers Edge software to help us manage our donor database and supporter communication systems.
We became aware on 22 January 2021 that a data breach involving Blackbaud had impacted our database. Previous attempts by Blackbaud to contact us had been unsuccessful. In May 2020, Blackbaud discovered it had been the victim of ‘ransomware’ attack (an attempt by cybercriminals to hold an organisation’s computer files hostage unless and until payment is made to the cybercriminal). The data breach affected numerous UK charities, universities and other organisations.
Blackbaud has stated that with the help of forensic experts and law enforcement, it was able to stop and resolve the attack, but not before the cybercriminals had removed certain backup files that may have contained some personal information of some of our supporters.
What information was involved
Blackbaud have confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible, and we do not hold this information on our database.
The data that might have been affected from our database includes some details related to donors and individuals who have signed up to receive newsletters from us. This data could include: names, contact information including telephone numbers, email addresses and mailing addresses; a history of donor relationships such as donation amounts and dates, events people have attended, and only where we have recorded that information on our database.
To protect personal customer data, Blackbaud have stated that they paid the cybercriminal’s demand with confirmation that the removed copy had been destroyed. They state that based on the nature of the incident, their research, and third party (including law enforcement) investigation, there is no reason to believe the data went beyond the cyber-criminal, was or will be misused; or will be disseminated or otherwise made available publicly. However, as is the case with any cybercrime, it cannot be entirely ruled out that personal information of some of our supporters may have been subject to unauthorised access.
We have contacted everyone on our database where we have an email address or telephone number on record. This is likely to be those we have been in contact for fundraising or communications purposes over the past five years or more.
We have decided to use telephone or email contact as the most efficient and timely method of communication, rather than relying on postal notifications. This website notices aims to supplement our personal communications.
We are working with Blackbaud to understand what actions they have taken to increase their security.
We have informed the Information Commissioner’s Office (ICO) of the breach and also the Charity Commission, who each have a role in overseeing and regulating our activities.
There is no need for anyone who believes their details may have been compromised to take any action at this time.
However, we want to stress that as an organisation we would not phone, email or write to supporters asking for monetary donations. Soliciting funds from supporters in this way is not part of our fundraising operations, therefore, if you receive any communications pertaining to be from the Foundation requesting donations please do not respond, and we would be grateful if you could alert us.
Also, as best practice, we recommend that supporters remain vigilant and promptly report any suspicious activity or suspected identity theft to the police. More information and advice is available from Action Fraud.
We deeply regret that this incident occurred. While data breaches and ransomware attacks are becoming more common, this is not something The Lucy Faithfull Foundation ever wants to happen to our valued supporters.
Blackbaud has apologised to The Lucy Faithfull Foundation and, on behalf of them and the Foundation, we sincerely apologise for any inconvenience this incident may cause you.
Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement.
If you have any questions or concerns regarding this matter, please do not hesitate to contact Adrian McNulty, Data Protection Officer: firstname.lastname@example.org.
Postal address: Mr Adrian McNulty, The Lucy Faithfull Foundation, 2 Birch House, Harris Business Park, Hanbury Road, Stoke Prior, Bromsgrove, B60 4DJ.
The Lucy Faithfull Foundation