Wellspring Calgary has recently learned that one of our third-party database software providers, Blackbaud, has experienced a data security breach, involving personal data, that has impacted many of its clients around the world.
While the data security breach did not occur at Wellspring Calgary and did not impact Wellspring data, we take the protection and stewardship of your personal information very seriously. Ensuring the safety of this information is of the upmost importance to us, no matter where it resides. We encourage all Wellspring stakeholders (members, volunteers, or donors) to take extra precautions with their information.
On July 16th, Blackbaud notified its impacted clients of a data security breach. Blackbaud advised that they were a victim of a sophisticated ransomware attack. After discovering the attack, Blackbaud’s cyber security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of a backup file from the Blackbaud system, which contained some of their stakeholder information. This occurred between February 7, 2020 and May 20, 2020.
More information on the breach can be found at https://www.blackbaud.com/securityincident.
What information was involved?
The backup file in the Blackbaud system may have included information about affected stakeholders and others that may have engaged with a variety of non-profits. This information may include names, addresses, email addresses, phone numbers and giving history (including donation amount(s), payment method, card type and if a donation was to a specific giving area). No credit card or banking information was compromised, except the payment method by which a donation was made (ex. credit card or cheque) and the card type used to make the donation (ex. Visa, Mastercard, American Express). That is, no credit card numbers, credit card expiry dates, credit card security codes, or bank account numbers were compromised.
Following their investigation into the event, Blackbaud opted to pay the cybercriminal’s demand only after receiving credible confirmation that the copy of the backup file had been destroyed by the cybercriminal.
What are we doing?
Wellspring Calgary takes the protection and stewardship of your personal information very seriously and ensuring the safety of this information is of the upmost importance to us.
We are posting this on our website out of an abundance of caution to ensure all of our stakeholders are aware of the situation.
Blackbaud confirmed they were able to identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has fixed the vulnerability. Additionally, Blackbaud is accelerating their efforts to further protect their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms and we will work closely with Blackbaud to understand what actions they are taking to increase their security.
What can you do?
As always, you should remain vigilant with respect to unsolicited emails and update passwords on a regular basis. Remember, Wellspring Calgary will never contact you requesting any password information or log in credentials. If you ever notice suspicious activity, you should of course report it to the appropriate authorities and organizations.
If you ever have any concerns about the validity of any contact you receive from Wellspring Calgary, you may find our contact information independently through our website at wellspringcalgary.ca and contact us to confirm.
Below are some additional resources that you may find useful:
- The Canadian Anti-Fraud Centre: https://www.antifraudcentre-centreantifraude.ca/protect-protegez-eng.htm
- The Canadian Centre for Cyber Security: https://cyber.gc.ca/en/cyber-incidents
- The Government of Canada: https://www.canada.ca/en/immigration-refugees-citizenship/services/protect-fraud/internet-email-telephone.html
Once again, Wellspring Calgary was not impacted by the breach, but take the protection and use of private data very seriously. If you have any additional questions, please feel free to reach out to us at firstname.lastname@example.org.
Chief Executive Officer