We have set out answers to the key questions that you may have about the Blackbaud incident.

What happened?

On 16 July 2020 we were contacted by Blackbaud – a third-party service provider who host supporter databases for the charity and not-for-profit, healthcare and educational sectors. They are one of the world’s largest providers of this service and host our supporter database for The Donkey Sanctuary.

Blackbaud informed us that regrettably they had been the victim of a ransomware attack in May 2020. A cybercriminal had been able to remove a copy of a subset of data from a number of their clients and this included a subset of The Donkey Sanctuary’s data.

What do you use the database for?

We use the supporter database provided by Blackbaud to record the details of our engagement with contacts of The Donkey Sanctuary, including supporters, customers, staff and our extended networks. Storing data on this database enables us to manage our data and ensure that we send supporters communications they have expressed a preference for and consented to receive.

Was my personal data involved?

Having undertaken a review of the information shared by Blackbaud it is likely that, as a supporter of The Donkey Sanctuary, your personal data may have been compromised.

What information was involved?

A detailed forensic investigation that was undertaken on behalf of Blackbaud by law enforcement and third-party cyber security experts has concluded that the data accessed:

Did not include:

  • Encrypted information, such as bank account details, passwords or credit card information.

But may have included:

  • Basic personal details such as names, titles, gender, dates of birth and supporter numbers.
  • Postal addresses, telephone numbers and email addresses.
  • Records of engagement with our fundraising and events activities such as enquiries, event participation, volunteering, donations, and any other interactions you have with us which we track in order to improve our services.
  • General information you may have provided to us, such as your general interests.

What authorities have you contacted to notify about this matter?

Blackbaud notified the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC).

The Donkey Sanctuary has independently notified the ICO and The Charity Commission.

The ICO are acting as the Lead Supervisory Authority (LSA) for this incident which has affected a number of high-profile charities and organisations in the UK and worldwide. As LSA, the ICO is the authority with the primary responsibility for coordinating any investigation where data from multiple countries is involved. The ICO, therefore, has the responsibility to notify and involve the data supervisory authorities of other countries as relevant.

The ICO are undertaking their own detailed investigation into this matter and we have been advised that the findings of that investigation will be published on the ICO’s website in due course.

Although they are continuing to investigate Blackbaud and the incident itself, they have confirmed that after subsequent consideration they are satisfied that The Donkey Sanctuary acted properly in selecting Blackbaud as a database software provider and acted properly in selecting a third party in line with the requirements of Article 28 of the GDPR.

How can Blackbaud give an assurance that my personal details won’t be used?

Blackbaud agreed to pay the cybercriminal with confirmation that the data was destroyed. Both Blackbaud’s third-party negotiation company and the FBI keep records of various cybercriminals and whether they have a history of meeting their own obligations. One of the reasons that Blackbaud was willing to pay this cybercriminal is because its security team was told that the cybercriminal would likely do as they promised.

As an additional precautionary measure, Blackbaud have hired outside experts to monitor the dark web and they have found no evidence that any information was ever released.

As a consequence, we have been advised that there is minimal risk that any of your data has been shared.

What should I do?

Although we have been advised that there is no immediate risk to any of our supporters as a result of this incident, we recommend that all of our supporters remain vigilant, as ever, and take the usual steps to guard against the possibility of identity theft or fraud and report any suspicious activity or incidents to the police, your bank and your credit card providers.

There is no need for you to take any further action at this time and we are grateful for your patience while we await the outcome of the ICO investigation and any further guidance they may issue.

Where can I get help about protecting my data?

We would encourage you to contact Action Fraud if you suspect any hint of fraud. This is the pan government agency which investigates cybercrime and identity theft.

What should I do if I think I am the victim of identity theft?

Blackbaud have told us that no personal data has been misused and, as a result we are not aware of any risk of identity theft to individuals. However, if you have evidence to the contrary please notify us and we can follow this up with Blackbaud.

Additionally, Information Commissioner’s Office (ICO) has very helpful information and resources on its website that you may find helpful. You may contact Blackbaud directly at privacy@blackbaud.com also.

Who can I contact at The Donkey Sanctuary if I have any further questions?

Should you need to contact us to discuss these matters any further, please do so by contacting our Data Protection Officer (DPO).

a: Slade House Farm, Sidmouth, Devon, EX10 0NU

e: blackbaud@thedonkeysanctuary.org.uk

t: [44] (0)1395 208696