All of us at the Bay Area Community Foundation (BACF) value the trust you have placed in us, and we take the protection and proper use of your personal information very seriously. It is why I am writing to you today to inform you of a data security incident at Blackbaud, a third-party service provider to BACF, which may have included some of your personal information.
What Happened
Used widely by nonprofits, Blackbaud is a global company providing cloud-based data management software. On July 16, 2020, Blackbaud notified BACF that in May 2020, they were subject to a ransomware attack. In a ransomware attack, cybercriminals attempt to lock businesses out of their own data and servers until a sum of money is paid. After discovering the attempted attack, Blackbaud’s security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking Blackbaud’s system access. Prior to being expelled from Blackbaud’s system, the cybercriminal removed data, which included BACF’s backup file. Blackbaud has assured us that no bank account information, credit card information, usernames, passwords, or social security numbers were accessed by the cybercriminal as that information was securely encrypted. The information that was accessed may have contained your contact information (mailing address, phone number, email) as well your giving history with BACF.
Moving Forward
As a result of its investigation with law enforcement, Blackbaud has stated there is no evidence to believe data went beyond the cybercriminal, was or will be misused, disseminated, or otherwise made publicly available. They have hired a third-party team of experts, including a team of forensic accountants, to continue monitoring for any activity related to this data. Blackbaud has reported implementation of several changes that will protect its system, and our data, from subsequent incidents. And, the company has accelerated its efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms.
In keeping with regular precautions, we recommend you remain vigilant and review your financial account statements and credit reports for fraudulent or irregular activity on a regular basis. Report any suspicious activity or suspected identity theft to the proper authorities.
For More Information
As one of many nonprofits affected by this attack, BACF has worked with a coalition of foundations in the Great Lakes Bay Region as we all have navigated through this new territory. Our combined due diligence led to further detailed information from Blackbaud about the nature and scope of the incident. Visit bbincident.wixsite.com/blackbaud to learn more.