Blackbaud Cyberattack FAQs
In May 2020 Blackbaud (NABS database supplier) was subject to a cyberattack, which resulted in a copy of the NABS database being obtained by cybercriminals.
We were informed of the attack on Friday 16 July 2020 and have been taking every step necessary to ensure the safety of your data.
Our FAQs below explain more about the incident and the low risk to your personal details.
When personal information is lost, stolen, or shared with an unauthorised person. Essentially, it’s any unwanted or unexpected event that compromises the security of personal data.
Our database providers, Blackbaud, suffered a cyber-attack, resulting in cybercriminals obtaining a backup of NABS’ database.
After discovering the attack, Blackbaud’s cybersecurity team—together with independent experts and the police — successfully prevented the cybercriminal from blocking our own access to our database and therefore disrupting our service. However, before locking the cybercriminal out of Blackbaud’s system, the cybercriminal removed a copy of NABS’ database.
Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Blackbaud has set out further details about the incident here.
The breach happened in May 2020. NABS were informed of the incident on Friday 16 July 2020 and have since informed the ICO (Information Commissioners Office) and the Charity Commission.
Yes. Blackbaud works with many not-for-profit organisations across the world, and a number of charities and educational institutions’ data was obtained.
NABS holds different levels of information on our database, depending on our clients and supporters’ interactions with us.
For many of our contacts we will only have name, address and emails. For our service users we may also have additional information such as case notes, and for our grant applicants we may also hold information relating to financial applications to NABS, including bank details.
We want to reassure you however that Blackbaud have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed and there is currently no evidence of the data being used.
We hold around 27,000 records on our database, which includes a mixture of individuals and organisations.
Based on the nature of the incident, Blackbaud’s research, third party (including law enforcement) investigation and NABS’ own internal investigation, we have no reason to believe that any data was or will be misused, shared or otherwise made available publicly.
We take your data protection very seriously. Although we don’t believe that the current situation presents a likely risk to our community, we’re taking it extremely seriously.
As such, we’ve immediately launched our own investigation, including the following actions:
- Reporting the incident to the Information Commissioner’s Office (ICO) and the Charity Commission on the advice of our legal representative;
- Asking Blackbaud to explain the delay between them discovering the incident and reporting it to us, and how they’ll increase their security from now on;
- Taking steps to understand which parts of our database were affected in the incident;
- Monitoring the situation closely, together with Blackbaud; and
- Writing to all of our database contacts and service users to explain the situation.
Blackbaud have assured us that to the best of their knowledge the data has been destroyed, and their ongoing monitoring has shown no sign of any of the information being used fraudulently. NABS will continue to monitor the situation and seek independent advice.
There is no need for our community to take any action at this time. As a best practice, we recommend that people remain vigilant and promptly report any suspicious activity, communications or suspected identity theft to us and the proper law enforcement authorities.
If you have any questions not answered above, please contact us on blackbaud-response@nabs.org.uk