More victims of the third-party software data breach come forward
Another UK charity has confirmed that the personal data of its donors has been compromised as a result of the Blackbaud ransomware attack earlier this year.
Mines Advisory Group (MAG), a Manchester, UK-based non-profit involved in the clearance of landmines in war-torn countries, informed donors via email last week that their data may have been accessed by an unauthorized third party.
The announcement is the latest in a long line of data breach warnings from organizations who were impacted by a cyber-attack against Blackbaud, a provider of third-party customer relationship management software.
“Blackbaud informed us on July 16 that they had discovered and stopped a ransomware attack in May this year, successfully preventing a cybercriminal from taking control of their system and encrypting files,” the email from MAG reads.
“However, personal data was compromised, with the cybercriminal accessing a copy of the information stored on their system.
“Along with over 125 universities and charities, MAG’s supporter data was accessed, including names, addresses, email addresses, and telephone numbers and details on how people may have supported or engaged with MAG in the past.”
The charity reassured its supporters that no financial information, including credit card numbers or bank account details, were exposed during the incident.
The breach was reported to the UK’s Information Commissioner’s Office within the 72-hour timeframe required by law. MAG has also informed the Charity Commission.
The charity informed donors that their personal data may have been compromised in the Blackbaud security incident
MAG’s announcement comes just two weeks after another Manchester-based charity, The Christie, informed supporters that it had been a victim of the Blackbaud breach.
The Christie, which provides cancer treatments for NHS patients, sent an email to donors on July 31 admitting that their data may have been exposed.
“We believe that your name and the contact information you shared with us may have been accessed,” the email reads.
Other potentially exposed information includes “any engagement you might have had with the charity in the past or future, such as signing-up for an event or a fundraising campaign” and “the details of any donation you may have given to us in past”.
The Christie stressed that no financial information such as bank details or credit card information was accessed.
The Blackbaud ransomware attack took place in May 2020, when attackers took over servers and encrypted some sets of data.
The attackers were ultimately locked out of Blackbaud’s systems, but not before they took a copy of a subset of data. Blackbaud later paid out an undisclosed amount of money in order to retrieve that data.
A statement reads: “Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Blackbaud said it has implemented changes after the attack. Those responsible have not yet been identified.