Hackers may have accessed some financial data from the National Trust’s database during a ransomware attack on Blackbaud last May.
When the incident was initially reported in July, the technology firm said that no payment data was obtained by criminals.
However, in a regulatory filing with the U.S. Securities and Exchange Commission that was published last week, Blackbaud said further investigations had found that cybercriminals “may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords”.
Blackbaud is one of the largest providers of fundraising and supporter management software to the charity sector. At least 50 charities were affected by the initial data breached and reported a serious incident with the Charity Commission in July.
At the time, Blackbaud apologised for the incident and said it had paid a ransom to the cybercriminals in order to make sure that the data would be destroyed.
National Trust ‘identifying and contacting those who may have been affected’
The National Trust has said it was contacted by Blackbaud and that some financial data from its database may have been accessed.
Jon Townsend, chief information officer said: “We have been told by Blackbaud that some financial data from our database may have been accessed as a result of this breach. No member or donor records were compromised. We have been assured that all the data has since been destroyed and we are now in the process of identifying and contacting those who may have been affected.
“Anyone with concerns over whether their financial data was accessed can contact us at [email protected].
“We have reported the latest development to the UK's regulator for data protection, the Information Commissioner's Office and the Charity Commission.”
Other charities confirm they were not impacted
Blackbaud has said this latest development does not affect all customers. A number of charities affected by the initial data breach confirmed to Civil Society News that they were not impacted by the latest development.
Among them are Crisis, Breast Cancer Now, Sue Ryder, Myeloma UK and Young Minds.
Crisis, for example, said: “We were contacted by Blackbaud directly last week who confirmed that Crisis is not one of the organisations affected in this way. In our case, none of the supporter data that was accessed included financial information as this was encrypted.”
Blackbaud continuing its investigation
Blackbaud said in the filing: “After July 16, further forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible.
“These new findings do not apply to all customers who were involved in the security incident. Customers who we believe are using these fields for such information are being contacted the week of September 27, 2020 and are being provided with additional support.
“We expect our security incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as appropriate.”