At least 50 charities are now known to have been affected by a ransomware attack on Blackbaud earlier this year.
The National Trust, Crisis and Sue Ryder are among the charities which had data stolen by cybercriminals in May.
In July the technology firm, which is one of the largest providers of fundraising and supporter management software to the charity sector, notified affected clients about an incident where cybercriminals accessed some clients’ data. Blackbaud said that no credit card or payment data was obtained by criminals, and that it paid the ransom to ensure that data will not be made publicly available or shared elsewhere.
Blackbaud has declined to say how many clients were affected, but the Information Commissioner’s Office (ICO) said it has received 125 reports of data breaches and the Charity Commission said 50 charities have reported serious incidents.
A spokesperson for the ICO said: “People have the right to expect that organisations will handle their personal information securely and responsibly. The cloud software company Blackbaud has reported a data breach incident which has potentially affected a large number of UK organisations using its services, and we are making enquiries.
“Organisations involved should be getting in touch with their customers to inform them if their personal data has been impacted. Anyone with any concerns about how their data has been handled should raise those concerns with the organisation first, then report to us if they are not satisfied.”
National Trust: ‘We launched an internal investigation’
The National Trust is one of the largest charities in the UK and uses Blackbaud’s software for some of its fundraising and volunteering programmes.
Jon Townsend, chief Information officer, said: "We take our data protection obligations extremely seriously, and as soon as we became aware of this incident, we launched an internal investigation and are working with the third-party supplier, Blackbaud, to assess whether any further action is needed.
“This affected our volunteering and fundraising community and did not involve any data from our membership database. We are currently in the process of identifying and informing those affected.
“We have been told that no financial data, credit card, account details or passwords were accessed as a result of the Blackbaud breach. We understand that any data that was accessed has since been destroyed.
“We have reported the incident to the UK's regulator for data protection, the Information Commissioner's Office, and the Charity Commission.”
Crisis: ‘We are incredibly frustrated by this incident’
In an email to supporters, Jon Sparkes, chief executive of Crisis, said: “We have been assured by Blackbaud that the risk to our supporters is low. We are advising all of our affected supporters to be wary of any unexpected communications and continue to be cautious with any suspicious emails, letters or phone calls.
Crisis stopped using the affected system in 2018, and Sparkes said: “Any information that you have given to us since then has not been affected.”
He added: “Like you, we are incredibly frustrated by this incident. Please rest assured that we take your data and privacy seriously.”
The Charity Commission said that so far 50 charities had reported serious incidents. It advises charities using cloud technology to read and use the National Cyber Security Centre’s Cloud Security Guidance.
Alan Bryce, head of development, counter fraud and cybercrime at the Charity Commission, said: “When a cyber attack targets a charity, its effects are felt beyond data and systems – it can harm the valuable work a charity does or the people it is set up to help.
“Charities are increasingly reliant on IT and technology to deliver on their purposes, and so it’s vital that we are all alert to the risks posed by malicious cyber activity. I encourage all charities to make use of our resources to strengthen their defences.
“Our research has shown encouraging signs that charities who have suffered cybercrime go on to revise their IT security, their training programmes or their website security. Do not wait until it is too late for your charity.”
The palliative care charity Sue Ryder posted an update on its website confirming that it had been affected.
Others charities affected by the breach include Action on Addiction, Breast Cancer Now, Maddabi GB, Myeloma UK, The Urology Foundation and Young Minds.
A number of UK universities have also been affected by the breach.