Blackbaud Data Breach

In May, Blackbaud, a software platform used in the U.S. and around the world, had a data breach that affected many of its 45,000 clients, including schools, nonprofits, religious organizations, and hospitals.

Blackbaud impacted national organizations such as the Smithsonian Institution, The American Red Cross, the Cancer Research Institute, and the Rhode Island School of Design. Feed More was also affected.

“Cyberattacks are part of the world we live in now,” said Jeff Wilklow, Feed More’s new Chief Development Officer. “Donors are understanding, but we all expect that these organizations will handle personal information securely and responsibly. Feed More utilizes one of the Blackbaud platforms, ResearchPoint, to store information such as name, date of birth, home address, and email address. Still, we don’t utilize Blackbaud to store financial information.”

Blackbaud began telling users of a system breach on July 16. What has many users unhappy is that the attack happened on Feb. 7, went undetected until May 14, and users were not notified until July.

“At first glance, the high-level timeline may cause some customers to question the expedience of our response,” an official said during a recent interview with The NonProfit Times. “An investigation and detailed forensic analysis was needed to be able to confirm the scope of the incident, to pinpoint which customers were involved and also how they were involved. And our top priority was to stop the cybercriminal and expel them from our system, which was also part of the timeline.”

“Because the vulnerability was fixed and tested by third parties, we confirmed that the issue had been remediated and the risk of information exposure did not increase during the period from when our investigation started to when we notified customers. It is quite common in the industry for this sort of investigation to take a few months, as in our case, or — in many cases with other providers — much longer before notification. We truly went as fast as we could,” the official said.

In the same The NonProfit Times article, Blackbaud’s Chief Information Officer Todd Lant said, “We value every good social organization that is part of the Blackbaud family, and we sincerely apologize to our customers for the disruption this caused. Our cybersecurity team stopped this sophisticated ransomware attack before the criminal could lock down our network, but this understandably created concern for customers who were part of the incident as they worked to understand and navigate the details.”

“We have implemented additional measures to prevent this from happening again and are working closely with law enforcement. We are taking this very seriously and will continue to work with every customer who has questions or needs additional support.”

At Feed More, the security of donor information is a top priority, and we sincerely regret any concern or inconvenience Blackbaud has caused our donors. And while Blackbaud has advised us that they have not seen any evidence of misuse of any Feed More donors, we encourage you to stay vigilant and monitor your accounts. You can also leverage the fraud alerts and security freeze capabilities at each of the credit bureaus listed below.

 

Equifax  (https://assets.equifax.com/assets/personal/Fraud_Alert_Request_Form.pdf)

TransUnion (https://www.transunion.com/fraud-alerts)

Experian (https://www.experian.com/fraud/center.html)