Notice of Blackbaud Data Security Incident
One of RMHC MB’s third-party service providers, Blackbaud, recently made RMHC MB aware of a data security incident that may have involved the personal information of our supporters.
As RMHC MB takes the protection and proper use of your personal information very seriously, we are contacting you to make you aware of the incident, explain to you what we have been advised by Blackbaud about the incident, and to suggest steps that you may wish to consider to protect yourself in light of the incident.
On July 16, 2020 RMHC MB was notified by Blackbaud that in May, 2020 it discovered and stopped a ransomware attack that impacted many of Blackbaud’s clients worldwide, including RMHC MB. According to Blackbaud, after discovering the attack, it, together with independent forensics experts and law enforcement, successfully prevented the cybercriminal from blocking its system access and fully encrypting files; and ultimately expelled the cybercriminal from its system. However, prior to being locked out of the system, the cybercriminal was able to copy and remove a subset of data. Blackbaud has confirmed that RMHC MB data was part of the subset of data that was copied and removed.
Blackbaud also advised that it paid the cybercriminal’s demand for a ransom in order to obtain confirmation that the data that had been copied and removed had been destroyed. According to Blackbaud, based upon the nature of the incident, its research and third party (including law enforcement) investigation, there is no reason to believe the data that was copied and removed went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. It also advised that, as an extra precautionary measure, it had retained third-party experts to monitor the dark web for any usage or sale of the data.
What Information Was Involved
Blackbaud has determined that the data copied and removed was primarily contact information (name, address, phone number, email) and relationship history, such as donation dates and amounts.
Blackbaud has also determined that the data that was copied and removed did not include any credit card information, bank account information or social insurance numbers. RMHC MB considers credit card information, bank account information and social insurance numbers as highly sensitive and therefore does not store such information anywhere on the Blackbaud system.
What We Are Doing
RMHC MB takes the security of the personal information entrusted to it by its supporters very seriously.
While Blackbaud is already implementing changes to its security measures and strengthening its defenses, RMHC MB is working with Blackbaud to implement additional measures to ensure the safety and security of RMHC MB supporter data on the Blackbaud system. RMHC MB is also reviewing its other current safety and security protocols and procedures with the intent to implement such additional measures as are deemed warranted.
RMHC MB is also currently working with outside legal counsel to identify what, if any, privacy reporting obligations that it may have to regulatory authorities.
For More Information
RMHC MB sincerely apologizes to you, our supports, for this incident and regrets any inconvenience it may cause you. You are encouraged to visit our website for additional updates as available. Should you have any questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact us at firstname.lastname@example.org or 204-774-4777 ext. 224.
Click the link to read the full RMHC MB Blaukbaud Data Security Incident notice.