Blackbaud Data Breach, July 2020
Feed The Hungry holds and processes personal data, which is subject to data protection laws; specifically, the General Data Protection Regulation (GDPR) of 2018. We take our responsibilities, as set out by this legislation, very seriously.
On 16th July 2020, we were informed by one of our service providers, Blackbaud, that in May 2020, some of the data that they hold on behalf of Feed The Hungry UK was compromised and accessed by an unauthorised third-party who had hacked into Blackbaud’s systems. A backup of Feed The Hungry’s data, along with data from other charities, universities and institutions, was copied by the hacker and held for ransom. Blackbaud engaged the services of a company that deals with situations like this, who were able to negotiate with the hacker. Blackbaud have also been working with law enforcement with regards to the hack. Blackbaud paid an undisclosed amount to the hacker on the agreement that the data was deleted and is no longer accessible to any unauthorised party. Although this happened in May, Blackbaud did not inform those organisations affected until 16th July.
Feed The Hungry contacted the ICO with regards to the situation. The ICO has advised that, at present, the data breach can be considered ‘low risk’ for those individuals whose data was involved by the breach. Blackbaud has engaged another company to search and analyse the web and the dark web for any data that may have been involved in the breach, and to date, no data has been detected. Blackbaud has a high confidence, as advised by specialist and law enforcement, that the data has been deleted.
What data was accessed by the unauthorised party?
The data held by Feed The Hungry is considered to be ‘basic personal information’. This includes:
- Names, addresses and email addresses
- Donations history
- Gift Aid Declarations
No credit card information, bank details or ‘sensitive personal information’ were involved in the incident. The data of individuals and organisations who have donated or been in contact with Feed The Hungry UK prior to 2020 have been involved in the breach.
How great is the risk to the personal data involved?
While we take all data breaches seriously, based on the information we have received from Blackbaud and the advice we have had from the ICO, this incident is considered to be of low risk for those who have personal information stored and processed by Feed The Hungry.
What can I do?
Quite apart from this particular incident, we advise all of our supporters to always remain vigilant to suspicious activity.
- Feed The Hungry does not make outbound phone calls soliciting donations; if you receive a phone call from Feed The Hungry requesting a donation to be made, please immediately hang up and report the call to the Feed The Hungry Office on 01455 618 455.
- Feed The Hungry’s donation pages all appear on just three domain names: feedthehungry.org.uk, fth.org.uk and cafonline.org (for Direct Debits)
If you come across or are asked to make a donation to Feed The Hungry via a donation page that is not on one of these domain names, please do not make the donation and report the page to firstname.lastname@example.org or contact the Office on 01455 618 455.
If you are concerned about the Blackbaud Data Breach incident or have witnessed suspicious activity, please contact the Feed The Hungry Office on 01455 618 455.