Dear Mr Robinson
Earlier this year, the company which supplies our supporter database software, Blackbaud, was hit by a series of cyber-attacks. Blackbaud informed the Information Commissioner's Office (ICO) and in July notified affected organisations. We understand that the incident affected a significant number of UK and US charities and other not for profit organisations.
Blackbaud has assured us that the issue was resolved and that the data is now secure. They have also stated that there is no need for individuals to take any action at this time. We have reported the incident to the Information Commissioner's Office (ICO) and are awaiting further guidance from them.
We are writing to you so that you know what has happened, and what action we, and Blackbaud, have taken.
On 16 July we were contacted by Blackbaud, one of our suppliers who are one of the world's largest providers of databases and customer relationship management systems for charities and other large organisations including many universities here in the UK and North America. They informed us that sometime earlier this year a cybercriminal hacked into Blackbaud's systems and accessed data containing personal information, which they offered to destroy in exchange for a payment. Blackbaud paid a ransom to the cybercriminal and received third party assurances that the stolen data was destroyed and not used or sold on. Blackbaud states that it has no reason to believe any data was shared beyond the cybercriminal, nor that it was or will be misused, nor will it be disseminated or otherwise made available publicly.
Why and how was Church Army affected?
We use a Blackbaud programme called Raiser''s Edge to record all our engagement with our supporters. Blackbaud have told us that the data breach included an old back-up copy of our database from 3 years ago (July 2017), and so it is possible that personal and contact details and also details of your involvement with Church Army up to that time may have been accessed. In 2017 our data was moved to be stored on Microsoft Azure which is one of the most secure systems. Anyone joining the database since then, and all new data is not affected.
What has been done about this incident?
Blackbaud have carried out their own investigation into the attack with law enforcement agencies and third-party cyber security experts. They assured us that they have put new measures in place to stop the specific type of attack happening again. Blackbaud have also notified the UK's Information Commissioner's Office (ICO).
Since we first heard about the issue, we have been undertaking our own internal investigation and been liaising with Blackbaud to clarify exactly what happened and obtain a copy of the affected data back-up from July 2017. We have taken legal advice, have informed the Information Commissioner's Office and are continuing to liaise with them, following their advice on what action we should take, and additionally we have reported the incident to the Police and Charity Commission. To assist us in this we have enlisted the services of a legal firm and also IT specialists.
What do you need to do?
Blackbaud have stated that, in their opinion, this incident is unlikely to have any impact on individuals. However, we would always recommend that you remain vigilant and if you notice any unusual or suspicious activity that concerns you, please report it to the police.
We understand how concerning it is to receive news like this, and we are so sorry for any anxiety that this news may have caused you. If you have any questions, please do not hesitate to contact us - contact Paul Critchlow on 0300 123 2113 or firstname.lastname@example.org
We take this issue very seriously, so please be assured that we will continue to do everything we can to ensure that your personal information is secure. We are continuing to work with Blackbaud to investigate this matter and we continue to take advice from the Information Commissioner's Office.
Thank you for your continued support of Church Army as we work with marginalised communities across the UK and Ireland.
Chief Executive Officer