Notification of a 3rd party Cybersecurity data breach
Background
Blackbaud, a provider of software and cloud hosting solutions for the charity, alerted us to the fact that some of our data held on the Raisers Edge database, may have been compromised. They reported they had stopped a ransomware attack, but paid a ransom demand, after hackers stole data from the company's network and threatened to publish it online. The incident took place in May 2020, when hackers breached Blackbaud’s network and attempted to install ransomware in order to lock the company out of their data and servers.
Action on Addiction response
The information below relates to a data security incident with a third-party service provider of Action on addiction. We believe it involves several UK and US healthcare, educational and not-for-profit organisations, as well as our charity. We take our data protection responsibilities very seriously and immediately we were informed by Blackbaud of this issue we launched our own investigation.
What happened?
On 16 July we were contacted by a third-party service provider, Blackbaud. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of Action on Addiction’s data, namely the details of supporters of the charity held on a database named ‘Raisers Edge’.
We use this system to record engagement with those who have over many years raised money for the charity or who have made a charitable donation. Having undertaken a review of the information held on Raisers Edge, we are content that most of the data held poses no or a low risk to individuals or companies named. Where we consider there is concern that the personal risk to an individual or company is not low, we will share details of this breach of Blackbaud’s systems with those individuals.
What information was involved
We would like to reassure those involved that:
detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts;
Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible;
Blackbaud also confirmed that no credit card information formed part of the data theft.
The data accessed by the cybercriminal may have contained some of the following information:
Basic details e.g. name, title, gender, date of birth;
Addresses and contact details e.g. phone, email;
A record of an individuals’ engagement with the charity and fundraising activities e.g. enquiries, event participation such as reunion meetings, volunteering, donations, and any other interactions with us;
Professional details, e.g. the profession people work in and their employer;
Information about supporters’ interests which may have been gained in response to one of our surveys
All bank and other financial details, if held on file, were encrypted and were therefore not compromised.
What are we doing about the situation?
Blackbaud have informed us that in order to protect the data and mitigate potential identity theft, they met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed. However, although we appreciate their assurances, we are not sufficiently content to accept them in isolation and we have launched our own investigation.
We have taken the following steps:
We are reviewing the data held on Raisers Edge. It is anticipated that most of the data will most likely be classified as already available to the public, either through social media or other forms of public enquiry and therefore classified as low personal risk;
We will be notifying individuals if we feel it is appropriate, so that they are aware of this breach of Blackbaud’s systems and can remain vigilant;
We have informed the Information Commissioner’s Office (ICO) of the breach and their advice was to assess level of risk and act accordingly and remain compliant with GDPR. We will seek further guidance from them if required;
We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.
There is no need for anyone who believe their details may have been compromised to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
If anyone would like to contact a member of the Action on Addiction team, please contact us on 0300 330 0659.
Steps we have taken in response
We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and the Information Commissioners’ office. We regret the inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our supporters continued support and engagement.