On July 16th, LauraLynn Children’s Hospice (LauraLynn) received notification from Blackbaud, a global provider of software tools and management resources for non-profits, that they had discovered a cyber-attack on one of their systems that houses supporter information. Unfortunately, LauraLynn has been confirmed as one of a number of organisations impacted by this security breach. A detailed explanation of the incident is available on Blackbaud’s website.
In line with LauraLynn’s financial management practice, supporters’ financial and sensitive personal data is stored in secure and encrypted files separately to its supporter database, which contains general supporter information (including supporter names, addresses, phone, email, contact details and communication history). No financial or PPS data is stored by the charity with Blackbaud or was impacted by this breach.
What have Blackbaud done to rectify the situation?
As a matter of urgency, LauraLynn has sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed in the breach, have now been destroyed. They have also reassured us that new safeguards have been put in place to prevent this happening again. Blackbaud have assured LauraLynn that they have worked with law enforcement and third parties and have found no evidence that any of the breached information has been used fraudulently. They assure LauraLynn that they continue to monitor this.
Our Response:
LauraLynn has taken the notification of this breach extremely seriously. The protection of our supporters’ data is of the utmost importance. In line with best practice and our high standards of governance, LauraLynn immediately notified the Data Commissioner regarding the breach and we continue to follow their guidance. LauraLynn has also sought the advice of a Data Protection Expert. We have been assured that the breach is classed as low risk.
LauraLynn is continuing to liaise with Blackbaud to seek clarity from them about how the breach occurred and the steps they are implementing to prevent a breach in the future. If we are not satisfied with their response, we will move our database to a different provider.
Although LauraLynn has been assured that there is a low risk to our supporters, we would urge all supporters to be wary of unexpected communication and practise the usual caution around suspicious calls, emails and letters.
What happened?
We were notified late on Thursday, July 16th about a cyber criminal attack on Blackbaud’s servers, which they discovered and expelled in May. Blackbaud is the company who hosts our supporter database and the databases of a large number of other organisations. This has therefore meant that some details of our supporters have been accessed in the incident, including some general personal information such as names, postal and email addresses and phone numbers. No financial or sensitive personal data was breached in the attack as this kind of information is not stored by LauraLynn on the Blackbaud supporter database.
Why is financial data not stored on the server that was breached?
As part of a multi-layered approach to protect our supporters’ data, and keeping in line with our high standards of governance, LauraLynn does not store any financial details or sensitive personal information with Blackbaud. All financial and sensitive data is separately stored in secure and encrypted files.
What information was accessed?
The supporter database that was accessed includes supporters’ contact details (which may include names, phone numbers, email and/or postal addresses) and some details of the nature of their activity with us, including gift history information. No financial, banking details or sensitive personal information is included in the database.
What has LauraLynn done since learning about this breach?
On notification of this breach, LauraLynn took action to report the breach to the Data Commissioner’s Office and sought guidance from a Data Protection Expert. LauraLynn is continuing to liaise with Blackbaud to seek clarity from them about how the breach occurred and steps they are implementing to prevent a breach in the future. If we are not satisfied with their response, we will move our database to an alternative provider.
