Foundation is notifying a large number of its donors, alumni and other constituents of a data security incident that occurred at Blackbaud, Inc. (Blackbaud), and sharing the steps it and Blackbaud have taken in response to the incident. Blackbaud is a cloud-based software company that provides customer relations management services to thousands of schools, hospitals, and other non-profits.

What Happened

On July 16, 2020, Blackbaud notified the Foundation that they had discovered a ransomware attack on their network. The time period of unauthorized access to Blackbaud's network occurred between February 7 and May 20, 2020. Working with law enforcement and its own third party cyber security firm, Blackbaud conducted an investigation, determined that backup files containing information from its clients had been taken from its network, and an attempt was made to encrypt files to convince Blackbaud to pay a ransom.

Blackbaud reported that the cybercriminal did not access credit cardholder data, and in most cases, fields intended for sensitive information were encrypted and not accessible. And based on the nature of the incident, its internal research, and third-party investigations (including law enforcement), Blackbaud believed that no data went beyond the cybercriminal, and was or would be misused, disseminated or otherwise made available to the public. Blackbaud reported that they eventually paid the cybercriminal’s demand with confirmation that the data removed had been destroyed.

On September 29, 2020, Blackbaud notified us that, on further investigation it was determined that some data they believed to be encrypted were in fact not encrypted. On October 6, 2020, the Foundation was able to obtain a copy of that data and determined that the backup files referenced in the September 29, 2020 notification contained certain information that was part of a legacy table of names and Social Security numbers retained on Blackbaud's servers that was not encrypted. Blackbaud has assured us that these legacy tables will be deleted by the end of the year, and that they have hired a third party to monitor the dark web as a precautionary measure.

Our Response

To date we have no evidence that any personal information has been misused, disseminated or made available to the public. It is our duty and obligation however, to let our constituents know this happened and to assure them that we take this matter very seriously. As an added precaution, we have secured the services of a firm to provide identity monitoring at no cost for one year. The identity monitoring services include Credit Monitoring, Fraud Consultation, and Identity Theft Restoration. We encourage you to remain vigilant by reviewing your account statements and credit reports for any unauthorized activity.

We regret that this occurred and apologize for any inconvenience to our constituents. We encourage those who have questions or concerns regarding this matter to contact us without hesitation at (833) 971-3231. Calling this number sends the caller directly to the incident assistance center for a timely and informed response.

Cleve Warren
Executive Director, FSCJ Foundation