Cybercriminals obtained donor data belonging to charities and other non-profits following a ransomware attack on Blackbaud.
The technology firm, which is one of the largest providers of fundraising and supporter management software to the charity sector, has notified affected clients about an incident where cybercriminals accessed some clients’ data.
Blackbaud said that no credit card or payment data was obtained by criminals, and that it paid the ransom to ensure that data will not be made publicly available or shared elsewhere.
In a statement on its website, the firm said: “Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers.
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
The breach occurred in May. Blackbaud contacted affected users this month as well as posting details on its website.
Blackbaud has apologised to customers and said that it has made changes to avoid a similar attack in the future.
Its statement said: “We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again.”
The company said that JustGiving, a popular fundraising platform owned by Blackbaud, was unaffected by the attack.
Blackbaud declined to say how many clients were affected and give any breakdown by region or sector, citing client privacy, but said: “The majority of our customers were not part of this incident.”
However, many organisations have been contacting their supporters to alert them to the breach.
One affected charity, YoungMinds, told supporters it has filed a serious incident report with the Charity Commission and informed the Information Commissioner’s Office.
In a statement YoungMinds said: “We have been assured by Blackbaud that there is a low risk to YoungMinds’ supporters, but all the same we would urge all of our supporters to continue to be wary of unexpected communication, and practise the usual caution around suspicious emails and letters.”
A number of UK universities have also been affected.
The University of York has warned people on its database that details such as their name, date of birth, address, educational record and profession could have been compromised.
Meanwhile the University of Leeds said that details of donations, although not the payment method, through its alumni portal could have been affected.
A US-based non-profit, Human Rights Watch, which was affected by the attack, announced that it is “no longer using Blackbaud to process new credit card or donor information”.