(Posted 29 July, 2020)

Blackbaud cyber security incident

Like many charities and non-profit organisations around the world, we were recently made aware that our database provider, Blackbaud, had suffered a ransomware attack. Blackbaud is one of the largest providers of customer relationship management systems to the charitable sector, and like many other charities in the UK, we have unfortunately been affected by this latest incident.

We continue to receive information from Blackbaud as to the extent of the attack and its impact on the charity, our members and supporters. We have set out below the information we have received from Blackbaud as matters currently stand on 29th July 2020. This statement will be updated as and when we receive further information.

What do we know?

On Thursday 17 July 2020, we were informed by Blackbaud, that in May 2020, there had been an attempted security incident on the company which they had discovered and stopped. Blackbaud has also provided a statement on its website which can be found at: https://www.blackbaud.com/securityincident

Blackbaud have confirmed to us that the attackers attempted to carry out a ransomware attack. This involves the attackers encrypting a victim company’s data, and then offering a decryption key in exchange for a ransom. As further leverage to extract the payment of a ransom by Blackbaud, the attackers also copied some back-up files. The attackers offered to delete the copies of the back-ups if the ransom was paid.

Blackbaud say that they were able to avoid a shutdown of their systems caused by the ransomware. However, they engaged with the attacker and paid the ransom in order to secure the deletion of the copies of the back-ups that were taken.

Blackbaud believe that the attackers would keep to their word in deleting the back ups for the following reasons: 

  • Ransomware attackers’ business models rely on them keeping their word, such that future victims will not consider paying ransom if there is no confidence that the attacker will do what it says it will do.
  • A specialist ransomware negotiation company was used, who gathers intelligence on cyber attackers and whether they have a history of keeping their word.
  • US Federal law enforcement also keeps intelligence on the attackers.
  • As a result of the assurances Blackbaud received that the attacker would keep to its word, Blackbaud paid the ransom.

We were not aware of this ransom negotiation or payment and have only since become aware of what happed from the information provided by Blackbaud. Blackbaud have provided reassurances around the potential risk to the charity’s data given that it was a condition of the ransom payment that the data was deleted.  Blackbaud have indicated that the attacker’s motivation in the attack was to obtain the ransom payment, and not target any data in the backups itself. Indeed, Blackbaud have confirmed that none of the backups contained payment card details, bank account numbers, or other information needed for identity theft.

In case the attacker did not do what it promised, Blackbaud has also retained the services of a specialist cyber security company to constantly scour the dark web and other areas where cyber criminals offer stolen information for sale. Blackbaud has also requested US Federal law enforcement to help with that search. Blackbaud confirmed that they have not found any information from the attack being offered. Blackbaud has committed to search indefinitely and update its customers, in the unlikely event that data does surface.   

How does this affect the charity?

Blackbaud has confirmed that the Society is one of many of its customers whose data was included in the subset of data that was copied from their systems. This included eTapestry, our database system.

What information was involved

We have been assured by Blackbaud that the incident does not involve any banking or financial details. However, it is possible that some of the information may include details regarding our community on their encephalitis journey including names, addresses and how members and supporters may have used our services.

We continue to work hard to determine exactly what information was included in the affected subset of data.

What are we doing?

Our Senior Leadership Team are working with our Board of Trustees who have legal, IT, data protection and cyber security experience, to understand from Blackbaud how this happened. We have notified the Information Commissioner’s Office (ICO) about this incident and have a legal team supporting us. We don’t yet know everything, but we wanted you to tell you as much as we can, as soon as we felt we were in a position to do so.  We will also be reviewing our ongoing use of Blackbaud services as part of our response to this incident.

What can individuals do in response to this incident?

Based on the reassurances provided by Blackbaud they believe it is unlikely that there will be a residual risk to individuals’ data as a result of the attack.

However, the attack acts as a reminder that it’s always good to be aware of how to keep your personal data secure. Helpful information on how to do this can be found here.

What happens next?

We also are working closely with Blackbaud to gain further information in relation to the attack and understand the steps they are taking to protect against similar attacks in the future.

Will you be informing members and supporters?

We will be contacting our members and supporters by email, in order to alert them to this statement.

Anyone with specific concerns can get in touch with us, as set out below. 

For more information

We continue to be grateful for your support, and although the Society could not have prevented this happening, we apologise as we know this may cause concerns.

We can assure you that our systems and practices are robust and that we will always be honest and open with you. Please see our Privacy Policy.

If you’d like to talk about this or ask any questions, our Data Protection Officer is Phillippa Chapman. She can be emailed here

If you would prefer to phone please contact +44(0)1653 609911 and we will get back to you as soon as we can.