Girls Inc. of Durham has recently learned that our third-party fundraising software provider, Blackbaud, has experienced a data security breach that has impacted many of its clients around the world, including Girls Inc. of Durham, ON, Canada. Unfortunately, this data security breach at Blackbaud involves personal information of some of our stakeholders.
While the data security breach did not occur at Girls Inc of Durham, we take the protection and proper use of personal information very seriously and ensuring the safety of this information is of the utmost importance to us, no matter where it resides. The safety of our girls and our supporters is at the forefront of every decision we make. We are deeply disappointed that Blackbaud waited nearly two months to notify us of this breach, and are reviewing our current agreements with the provider to make sure this does not happen again.
What Happened
On August 5, Girls Inc of Durham was notified by Blackbaud of a data security breach. Blackbaud is an international vendor whose services support fundraising at nonprofits across the country in Canada and the USA, including Girls Inc. of Durham. Blackbaud had advised that they were a victim of a sophisticated ransomware attack. After discovering the attack, Blackbaud’s cyber security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of a backup file from the Blackbaud system, which contained some of our stakeholder information. This occurred between February 7, 2020 and May 20, 2020.
While it is our understanding that this breach has impacted organizations internationally, this letter is only in reference to Girls Inc. of Durham. More information on the breach may be found at https://www.blackbaud.com/securityincident.
What Information Was Involved
The backup file in the Blackbaud system may have included information about stakeholders including a subset of our donors and others that may have engaged with Girls Inc. of Durham. This information may include names, addresses, email addresses, phone numbers and giving history to Girls Inc. of Durham (including donation amount(s), payment method, and if a donation was to a specific giving area). No credit card or banking information was compromised, except the payment method by which a donation was made to Girls Inc of Durham (example. credit card or cheque) and the card type used to make the donation (ex. Visa, Mastercard, American Express). That is, no credit card numbers, credit card expiry dates, credit card security codes, or bank account numbers were compromised.
Following their investigation into the event, Blackbaud opted to pay the cybercriminal’s demand only after receiving credible confirmation that the copy of the backup file had been destroyed by the cybercriminal.
Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has advised that they have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud has also hired outside experts to monitor the web and have found no evidence that any information has been released.
What We Are Doing
Girls Inc. of Durham takes the protection and proper use of personal information very seriously and ensuring the safety of this information is of the utmost importance to us. We remain as committed as ever to the security of your data. We will be reviewing internal policies, along with our agreements with Blackbaud, to ensure the utmost level of cybersecurity. We are sending this directly to our donors and posting this on our website out of an abundance of caution to ensure all of our stakeholders are aware of the situation.
We have sent e-mails or letters directly to potentially affected individuals for whom we have current contact information.
We met with Blackbaud who has confirmed they were able to identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has fixed the vulnerability. Blackbaud has reported that they have confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, Blackbaud is accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms and we will work closely with Blackbaud to understand what actions they are taking to increase their security. As noted above, Blackbaud has engaged with law enforcement as part of their investigation into this incident.
What You Can Do
As always, you should remain vigilant with respect to unsolicited emails. Remember, Girls Inc. of Durham will never contact you requesting any password information or log in credentials. If you ever notice suspicious activity, you should of course report it to the appropriate authorities and organizations.
If you ever have any concerns about the validity of any contact you receive from Girls Inc. of Durham, you may find our contact information independently through our website and can contact us directly to confirm.
Below are some additional resources that you may find useful:
- The Canadian Anti-Fraud Centre: https://www.antifraudcentre-centreantifraude.ca/protect-protegez-eng.htm
- The Canadian Centre for Cyber Security: https://cyber.gc.ca/en/cyber-incidents
- The Government of Canada: https://www.canada.ca/en/immigration-refugees-citizenship/services/protect-fraud/internet-email-telephone.html
For More Information
We recognize that this is an upsetting and unacceptable incident. We sincerely apologize for and regret any inconvenience this incident may cause you.
If you have any questions or concerns regarding this matter you can call me at 905-428-8111 extension 224, available between 9 am to 4 pm EST Monday through Friday or email me at yndrew@durham.girls-inc.org
Sincerely,
Yvette Nechvatal-Drew, Executive Director, Girls Inc. of Durham