On Thursday 16th July MAG was made aware of a data security incident involving a company called Blackbaud, one of our third-party suppliers, which has affected a large number of UK charities and other organisations.
Like many charities, MAG uses a database to hold our supporter data. Blackbaud provides MAG with secure software to record and store this information.
We were informed that some time in May, Blackbaud discovered and stopped a ransomware attack, successfully preventing a cybercriminal from taking control of their system and encrypting files. However, personal data was compromised, with the cybercriminal accessing a copy of the information stored on their system.
Along with over 125 universities and charities, MAG’s supporter data was accessed, including names, addresses, email addresses and telephone numbers and details on how people may have supported or engaged with MAG in the past.
It is important to note that NO financial information such as credit card or bank account details were accessed.
Blackbaud paid the cybercriminal’s demand in order to receive assurance that any data obtained was destroyed. We have been informed that, to the best of Blackbaud’s knowledge, no data went beyond the cybercriminal and it has not been misused, shared or sold to third parties. If you would like more information on this incident find further details here.
Blackbaud has informed us that it has implemented several changes that will prevent this from happening again. We have been assured by Blackbaud that the risk to MAG supporters is low and they are monitoring the situation to ensure this remains the case.
The steps we’ve taken
We quickly reported the matter to the Information Commissioner’s Office (ICO), the UK regulator for data protection, well within the 72 hour timeframe required.
We also sought independent legal advice on how we could best act and consider the impact on our supporters and what action we should take. The outcome of the legal advice is that because no financial information or special categories of personal data was accessed there is low risk to supporters involved in this data breach.
We are working closely with Blackbaud to understand this incident and the delay in informing us, and how to ensure information about our supporters remains secure. We will be reviewing our relationship with them.
In addition to reporting this incident to the ICO we have also reported this to the Charity Commission.
We know that this incident will concern some of our supporters and we are very sorry for any distress this might cause. We carefully choose the suppliers we work with and trust to handle our supporter’s information on our behalf. It is very disappointing that on this occasion the supplier has been the subject of a criminal cyber-attack.
No action is required by supporters at this time although it is always sensible to be vigilant for any suspicious activity.
Where we can, we are contacting individuals who have been affected. If you think you have been a victim of fraud you can visit Action Fraud for advice and to report any suspicious activity.