CFS FAQs RELATED TO Blackbaud Database Security Incident
Who is Blackbaud?
Blackbaud is an international software company based in the United States that hosts our philanthropy data, along with the philanthropy data of thousands of nonprofit organizations and educational institutions.
How does Blackbaud take care of CFS records?
Blackbaud is contracted by CFS to securely store our supporter data. Blackbaud manages all security protocols and undergoes regular third-party audits to verify that their procedures meet or exceed legal requirements and industry standards. In addition to contracting with third-party digital security firms, Blackbaud maintains an in-house digital security team which continuously monitors and tests Blackbaud’s network for any potential weaknesses.
What Happened?
- On July 16, 2020, Blackbaud notified CFS of a ransomware security incident which was identified and stopped in May 2020. Prior to Blackbaud successfully blocking the attack, the cybercriminal removed backup files that contained biographical, contact, and giving history information from an unspecified number of Blackbaud’s customers.
- Blackbaud states that they paid a ransom to the cybercriminal upon receiving proof that the copied files were destroyed. Blackbaud reports that both third-party security experts and law enforcement agents confirmed that they believed the files to be destroyed before the ransom was paid.
- As an added layer of protection, Blackbaud reports they have contracted a third-party firm to monitor the internet to ensure the information is not released. According to Blackbaud, to date, there is no evidence to suggest that the data has been or will be released.
What impact did the cyber-attack have on Child & Family Service’s supporters?
- Blackbaud informed us that a backup copy containing our supporter’s records was downloaded by the cybercriminal, which may include biographical information including name, birthday, address, phone and email, giving history, and relationships and acquaintances.
- Based on the nature of the incident, Blackbaud’s research, and the third-party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What CFS supporter records does Blackbaud keep on its server?
CFS may maintain the following information in your record:
- Biographical: name and birth date
- Contact information including address, phone, and email
- Relationships including family members and employer
- Giving history including date and amount donated
Does CFS keep my credit card or bank account information?
- No. When you authorize a donation by credit card or direct debit, CFS will temporarily store your information in an encrypted format for the purposes of completing the authorized transaction. Once entered into our system, we securely destroy any physical copies of your information. We do not maintain any accessible records of donor financial information in this system.
- According to Blackbaud the cybercriminal did not access your credit card information or bank account information during the incident.
What does “encrypted” mean?
Encryption is a way to secure digital information which renders the data meaningless unless you have the required program and/or access code to view the information. According to Blackbaud the cybercriminal involved in the incident do not have access to this information.
Does CFS have my Social Security information?
No. CFS does not have access to, nor does CFS store, any social security numbers of its supporters in this system.
Does CFS have my username or password information for my accounts?
CFS will never request and does not store your log in credentials including username, password, and security questions for any of your personal accounts.
Was any CFS participant information included in this incident?
No. Participant information is stored on a separate HIPAA compliant system which remains completely secure. The database involved in this incident held only donor information.
Who can I talk with if I have questions about my records?
If you have questions about the records we keep on our supporters, please call the CFS Development Office at (808) 543-8415 or email to: development@cfs-hawaii.org.
What can I do to protect myself?
We recommend, out of an abundance of caution, that CFS donors continue to be alert for phishing attempts, monitor their bank accounts and credit card statements as you always do. If you notice anything potentially suspicious, please immediately contact the proper law enforcement agency or your financial institution. And remember never to provide your username or password to anyone over the phone.
Are there additional resources if I have further questions about this specific incident or Blackbaud?
- Yes, you can find additional information on these websites:
- Blackbaud Security Page – https://www.blackbaud.com/security
- Blackbaud Incident page – https://www.blackbaud.com/securityincident
- Blackbaud Home page – https://www.Blackbaud.com
- Press Release on the Blackbaud website – https://www.blackbaud.com/newsroom/article/2020/07/16/learn-more-about-the-ransomware-attack-we-recently-stopped?_ga=2.234960449.1931884992.1595877331-1221277503.1577991756
- You can also call Blackbaud directly with questions: 1 (800) 468 – 8996 (Press 1 for the main support line, the operator should be able to assist or direct you to an appropriate person)
