Like many charities, we use a third-party company to provide us with our database and management systems.
The company we use is called Blackbaud who are one of the world’s largest and leading providers of supporter database systems for the charity and not-for-profit, healthcare and educational sectors.
On 16 July 2020 Blackbaud notified us that regrettably they had been the victim of a ransomware attack in May 2020. A cybercriminal had been able to remove a copy of a subset of data from a number of their clients, including many UK and International charities and universities, and unfortunately, we were affected also.
We have set up this webpage to notify those whose data we hold on our supporter database of this incident, to keep them informed and to advise them of any steps that they may wish to take. Specifically, we have set out answers to the key questions that they may have.
Further, those supporters whose data we hold may wish to read this statement released by Blackbaud about how the breach occurred and the steps they have taken to prevent the misuse of the data that was obtained.
Crucially, we have been assured by Blackbaud that their security experts have fully investigated the attack and they have confirmed that no encrypted information such as personal passwords, credit card or bank account details were taken during the attack. Furthermore, their investigation concluded that the hacker has deleted the file taken during the attack and we have no reason to believe that any data was subsequently passed on by the hacker.
Please be assured that we have reported the data breach to the Information Commissioner’s Office (ICO), as has Blackbaud. The ICO are acting as the Lead Supervisory Authority (LSA) for this incident and, as such, have taken on primary responsibility for coordinating the investigation into this matter as data from multiple charities, organisations and countries has been involved. The findings of their investigation will be published on the ICO’s website in due course and we will publish a link to this report on this page as soon as it is available.
We have been advised that supporters whose data we hold do not need to take any action at this time; however, we will update this page immediately with any new information or guidance we are given.
Although we have been advised that there is no immediate risk to any of our supporters as a result of this incident, we recommend that all of our supporters remain vigilant, as ever, and take the usual steps to guard against the possibility of identity theft or fraud and report any incidents to the police. Specifically, we encourage supporters to contact Action Fraud if they suspect any hint of such suspicious activity. This is the pan government agency which investigates cybercrime and identity theft.
Should you need to contact us to discuss these matters any further, please do so by contacting our Data Protection Officer (DPO)
a: Slade House Farm, Sidmouth, Devon, EX10 0NU
t: [44] (0)1395 578222