Blackbaud data breach
Because you are a valued San Diego Public Library Foundation supporter, I wanted you to hear from us directly. In May 2020, our third-party service provider, Blackbaud, Inc., discovered and stopped a ransomware attack on their servers that compromised some of the data of many of their clients, including the Library Foundation.
Blackbaud informed the Library Foundation of the breach and corrective actions on July 16. One of the world’s largest cloud software companies, Blackbaud, provides donor relations software for the Library Foundation and many other not-for-profits in San Diego and worldwide.
Please note that the cybercriminal attack on Blackbaud did not access credit card information, bank account information, passwords, or any other private financial data.
Because no donor credit card, bank, or private financial data was compromised, the Library Foundation is not legally required to alert donors. However, because being responsible stewards of your trust is a central part of the Library Foundation’s values, we thought it best to alert you that Library Foundation donor information such as contact information, names, email addresses, physical addresses, and giving histories could have been part of the breach on Blackbaud’s servers.
Blackbaud discovered a cyberattack in early February with intermittent activity through May 20, 2020. Working with independent forensics experts and law enforcement, Blackbaud’s Cyber Security team successfully prevented the cybercriminal from accessing fully encrypting files and expelled them from the system. Prior to locking out the cybercriminal, a backup file with some personal information was removed.
Blackbaud reports: “We paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.”
What Information Was Accessed?
I want to reiterate that the cybercriminal did not access credit card information, bank account information, passwords, or any other private financial data. Because the Library Foundation does not ask for or store donors’ social security numbers or bank information, that data was not available to the cybercriminal. Additionally, anytime a credit card is used for donations, the number is encrypted, which means that the Library Foundation cannot see the number itself. However, the file that was removed may have held your name, address, email addresses, donation dates and amounts, and notes on your Library Foundation support.
▪ Please note that this breach only impacted information on Blackbaud’s servers for Library Foundation donors and has no impact on your library card accounts or any library borrowing activity.
What Has Been Done to Resolve This?
Blackbaud has implemented changes to protect the data from further incidents, including correcting the vulnerability that led to this incident. Multiple third-party tests have confirmed the effectiveness of these corrections. Additionally, Blackbaud is firming up its security to prevent future breaches.
You can read more about the Blackbaud security breach on Blackbaud’s website HERE. Please feel free to email me with any questions at firstname.lastname@example.org. We will update you if there is any additional information or changes in the situation.
We stay committed to protecting your trust in us and continue to be thankful for your support of the Library Foundation and the Library.
Patrick Stewart, CEO