MAG America was recently made aware of a data security incident involving Blackbaud, one of our third-party suppliers, which has affected a large number of global nonprofit institutions.
We were informed that in May, Blackbaud discovered and stopped a ransomware attack, successfully preventing a cybercriminal from taking control of their system and encrypting files. However, personal data was compromised, with the cybercriminal accessing a copy of the information stored on their system.
Along with over 200 charities, MAG America’s supporter data was accessed, including names, addresses, email addresses and telephone numbers and details on how people may have supported or engaged with MAG in the past.
It is important to note that NO financial information such as credit card or bank account details were accessed.
Blackbaud paid the cybercriminal’s demand in order to receive assurance that any data obtained was destroyed. We have been informed that, to the best of Blackbaud’s knowledge, no data went beyond the cybercriminal and it has not been misused, shared or sold to third parties. Blackbaud has informed us that it has implemented several changes that will prevent this from happening again. We have been assured by Blackbaud that the risk to MAG supporters is low and they are monitoring the situation to ensure this remains the case.
The steps we’ve taken
We quickly reported the matter to our legal counsel to seek advice on how we could best act and consider the impact on our supporters and what actions should be taken. The outcome of the legal advice is that because no financial information or special categories of personal data was accessed, there is low risk to supporters involved in this data breach.
We are working closely with Blackbaud to understand this incident and how to ensure information about our supporters remains secure. We carefully choose the suppliers we work with and trust to handle our supporter’s information on our behalf. It is very disappointing that on this occasion the supplier has been the subject of a criminal cyber-attack.