Cyber Security Incident

On Thursday 16 July, we were contacted by Blackbaud. They are one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.  It is the system that Buttle UK uses to record information about our donors and supporters.

They informed us that they had been the victim of a ransomware attack in May 2020. A cybercriminal was able to remove a copy of a subset of data from a number of their clients, including a number of higher education institutions and charities across the UK.

For some institutions affected, the data breach was linked to the institution’s live database environment. This included Buttle UK’s fundraising database.

Because Blackbaud has hundreds of clients in the charity and education sector, we know that many other organisations have been involved in this incident.  You can see details about these on the BBC’s website: https://www.bbc.co.uk/news/technology-53567699.

We have not notified you until now because we needed to conduct a full investigation ourselves, to understand any potential threat to your data.  This is detailed below.

What information was involved?

We would like to reassure you that:

• A detailed forensic investigation was undertaken on behalf of Blackbaud by law enforcement and cyber security experts. They concluded that the risk of the data going beyond the cybercriminals was extremely low.  Nevertheless, out of a desire to be as transparent as possible we wanted to let you know.
• We do not keep any financial information on our fundraising database beyond a record of any donation amounts and the date donations are made.  However, Blackbaud have confirmed that no encrypted information, such as bank account, credit card information or other payment details or passwords, was accessible anyway.
• The data accessed illegally may have contained some of the following information:
  • Basic details (e.g. name, title, gender);
  • Addresses and contact details (e.g. home address, phone number and email address)
  • Donation amounts and dates

Was any sensitive information about the children and young people we work with taken?

No. Any potentially sensitive data about children and young people is kept securely on a different database. Therefore, this information was not accessed.

How is Buttle UK responding to the situation?

Buttle UK takes the protection of data very seriously. We carefully selected Blackbaud as our database supplier in 2014, and have had no issues with them at all in the time we have used their system.

We have been informed that in order to protect their customers’ data and mitigate potential identity theft, having taken expert advice Blackbaud met the ransomware demand.

Blackbaud have advised us that they paid the ransom and received credible assurances that the data had been destroyed.

However, we have immediately launched our own investigation, as a result we have taken the following steps:

• We are informing you, and although we believe the threat that the data has been shared beyond the cybercriminal is low, we want you to be aware of this breach of Blackbaud’s systems so you can remain vigilant.
• We took immediate legal advice, and our trustees have overseen our investigation.
• We have informed the Information Commissioner’s Office (ICO) and the Charity Commission of the breach.
• We have taken steps to understand how many other parties have been affected, and how they have responded.
• We are working with Blackbaud to understand in more detail how the breach occurred and their response, so that we can assess if there is any potential, preventable threat to our data going forwards.
• We have carefully reviewed our own security and data protection provisions, and have satisfied ourselves there is nothing further we could have done to prevent this.

What should I do if I think I may be affected?

There is no need for you to take any action at this time. As best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

We are very sorry that this has happened, it is incredibly important to us that your information is kept secure. If you would like to speak to a member of our team, please contact: privacy@buttleuk.org.