Y Community Data Security
Dear Y Community Member,
I am writing to inform you about a data security incident that may have involved some of your information. Blackbaud, a fundraising software service provider, recently experienced a data incident. We use Blackbaud-hosted services for our fundraising database and thus we are among the many affected nonprofits locally and internationally.
Blackbaud maintains that data fields containing credit card or bank account information were encrypted and not accessible by the cyber hackers. While we work to better understand the situation and confirm what is and is not potentially at risk, we at the Y want to inform you of what we have learned from Blackbaud at this point because we take the protection and proper use of your information very seriously. We think it is important that you know about this and remain vigilant regarding any potential misuse of your information.
On July 16, 2020, Blackbaud notified the Y of a data security incident affecting nonprofits and higher education institutions across the world. This incident began on February 7, 2020, and according to Blackbaud could have continued intermittently until May 20, 2020.
Blackbaud informed us that they discovered and stopped a ransomware attack and, with the help of independent forensics experts and law enforcement, successfully prevented the cyber hackers from blocking or encrypting files. During the incident, a backup file containing information of some individuals was acquired. According to Blackbaud, they paid the cyber hackers a ransom to ensure the backup file was permanently destroyed.
What Information Was Involved
As reported by Blackbaud, data fields designed to contain credit card or bank account information were encrypted and not accessible by the cyber hackers. However, Blackbaud reports that the data the cyber hackers accessed may have included demographic information, contact information, and a history of your relationship with the Y, such as donation dates and amounts.
Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud informed us that they have no reason to believe that any data was or will be misused, or will be disseminated or otherwise made available publicly. The company has hired a third-party team of experts to continue monitoring for any such activity.
What We Are Doing
We are notifying you so that you can be fully informed. Ensuring the security of our data is of the utmost importance to us. According to Blackbaud, they identified the vulnerability associated with this incident, took swift action to fix it, and the company is further enhancing its security controls. Upon learning of the issue, we engaged cybersecurity professionals and commenced an internal review to analyze any information that had been stored within this vendor’s applications and to determine if any personal information is at risk. Our investigation is ongoing. If our investigation determines that there is need for additional follow up, we will communicate with you again.
What You Can Do
While neither Blackbaud nor the Y has any evidence that your information was abused, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to proper authorities.
For More Information
We deeply apologize for this incident and regret any concern this may cause you. We assure you that we strive to handle your information in strict accordance with our core values—Caring, Honesty, Respect, and Responsibility. If you have further questions, please do not hesitate to contact me and the other members of our Development team at DonorProtection@gbymca.org or (802) 652-8151.
Vice President of Development & Social Responsibility