Direct Relief has been informed that Blackbaud, a third party software vendor that provides fundraising data services, identified an attempted ransomware attack in progress on May 20, 2020 that may have involved certain information provided to us by donors.
Blackbaud informed us that they stopped the ransomware attack with the help of forensics experts and law enforcement and that they prevented the threat actor from blocking or accessing encrypted files that contain sensitive data. Blackbaud has told us that they have no reason to believe that any data went beyond the threat actor, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud indicates that it has hired a third-party team of experts, including a team of forensic accountants, to continue monitoring for any such activity.
The security incident affected educational institutions, foundations, and other nonprofits across the United States and internationally.
Upon learning of the issue, Direct Relief engaged privacy counsel and commenced an immediate and thorough investigation, which is still ongoing, to determine what information relating to our constituents was contained in the backup file that the threat actor removed.
The compromised file may have contained demographic information and philanthropic giving history, such as donation dates and amounts.
Per organizational policy, Direct Relief does not store credit card information nor Social Security numbers, and Blackbaud has said that other more sensitive data elements (such as credit card information, bank account information, user names, passwords, Social Security numbers, and vendor tax ID numbers) were protected with encryption.
We are working with legal counsel to quickly and diligently assess any required notifications to individuals and/or regulators of this incident, which we intend to provide as soon as practicable and in compliance with any and all data protection laws, rules, and regulations.
We are taking this matter very seriously and continue to take significant measures to protect the personal information entrusted to us.
For more information, please visit: https://www.blackbaud.com/securityincident