Blackbaud data breach – our statement

Recently there was a security incident involving a service provider that Sightsavers works with, a large technology company called Blackbaud. The risk to our supporters and donors is very low, but here’s what this means for our supporters and the data Sightsavers holds.

Blackbaud is a world leader in providing systems that help charities, universities and other not-for-profit organisations to manage communications with their supporters and other organisations. On Thursday 16 July, Blackbaud notified us that they had been the victims of a ransomware attack. Blackbaud discovered the incident and prevented the cybercriminals from locking down their systems. However, the cybercriminals were able to make a copy of the data stored in parts of the Blackbaud system. This included data for numerous charities and organisations, including Sightsavers.

The cybercriminals were not able to access any credit card or bank details as these are encrypted. Furthermore, Blackbaud have told us that the data the criminals were able to copy from their system has been destroyed and there is no reason to believe it was or will be misused.

Cybercrime is a significant issue across the world and it is a threat we take extremely seriously. Since we learnt of this incident, we have been working hard to understand what was involved, and to ensure we do everything possible to protect our supporters’ data and privacy. This includes working with Blackbaud to make sure that robust security measures are in place to guard against future cyber-attacks.

We have reported the incident to the Information Commissioner’s Office (ICO) and will continue to work with them, other relevant authorities, and Blackbaud to investigate and monitor the incident.

Sightsavers has reassured all our supporters and organisations we work with that we are confident this incident poses a very low risk to them, and that credit card and bank details were not involved. All of our supporters are hugely important to us and we value your trust, so we feel it is important we share information about this incident with you.

You can read some FAQs below and Blackbaud has provided further details here.

Why does Sightsavers work with Blackbaud?

To ensure Sightsavers operates in the most efficient way, we work with third-party service providers, such as Blackbaud, where it is more cost effective than running specific activities ‘in-house’.

Sightsavers is reassured Blackbaud is taking all necessary steps to guard against a similar attack in the future. Cybercrime is a significant issue across the world and unfortunately no organisation is immune to this threat, as can be seen from recent separate attacks involving large, high-profile technology companies.

When did the cyber-attack happen?

Blackbaud identified and stopped the ransomware attack on their systems in May 2020. Sightsavers was informed about the incident by Blackbaud on 16 July. Since then, we have been working hard to understand exactly what was involved and what data held by Sightsavers was affected. We have reported the incident to the Information Commissioners Office (ICO), the data protection regulator in the UK. We are choosing to communicate with supporters now that we have enough information to be confident about the nature of the incident and the level of risk it poses to individuals, which is very low.

What supporter data was involved?

No credit card or bank account details were compromised as these are held in encrypted fields within the system.

Contact information like names, addresses, telephone numbers and email addresses were in the backup file, along with other information held on the record such as contact preferences and information about how and when individuals and organisations have supported Sightsavers in the past.

Blackbaud have told us that the copy of the data taken by cybercriminals has been destroyed and there is no reason to believe it has or will be misused.

What action do I need to take?

The risk to supporters from this incident is very low and no specific action is required. However, we recommend all supporters continue to take sensible steps to protect themselves and guard against fraud. You should remain vigilant and report any suspicious activity to the relevant authorities. You can find further advice and information on the Action Fraud website here.

Have the authorities been informed?

We have reported the incident to the Information Commissioner’s Office (ICO) and will continue to work with them, other relevant authorities, and Blackbaud to investigate and monitor the incident.

Blackbaud worked with law enforcement authorities to investigate the incident, and has reported to the various data protection regulators in relevant countries.

How will you stop this from happening again in the future?

We take cyber-security and the protection of our supporters’ data very seriously. We constantly review our policies and procedures to ensure they are robust and meet the UK government’s own requirements for cyber-security through the Cyber Essentials accreditation scheme.

Blackbaud has substantial cyber-security practices in place with a dedicated team of professionals. Independent reviewers have evaluated its programme and determined that it exceeds benchmarks for the financial and technology sectors. Blackbaud follows industry-standard best practices, conducts ongoing risk assessments, aggressively tests the security of its solutions, and continually assesses its infrastructure.

The incident at Blackbaud was a sophisticated attack by a cybercriminal. We are liaising with Blackbaud to ensure changes have been made to prevent this specific issue from happening again, and to ensure we are confident they take all possible precautions to prevent any kind of cyber-attack.