Aug 10, 2020
The information below relates to a data security incident involving Blackbaud, Inc., a service provider of Magee-Womens Research Institute & Foundation (MWRIF). Our organization takes our data protection responsibilities very seriously. We have launched our own investigation and further details are below, including steps we have taken in response. Recognizing that we do not have contact information for all our supporters, we are sharing the information here as part of our commitment to accountability and transparency. We greatly value our donors’ support of Magee, respect your privacy, and work hard to keep your trust.
We were recently notified by Blackbaud, Inc. (a third-party service provider) of a security incident. At this time, we understand they discovered and stopped a ransomware attack. After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of our backup file containing your personal information. This occurred at some point beginning on February 7, 2020 and could have been in there intermittently until May 20, 2020.
What Information Was Involved
It’s important to note that the cybercriminal did not access your credit card information or social security number. However, we have determined that the file removed may have contained public information such as your contact information, demographic information, philanthropic interests, giving capacity and summary giving history to Magee.
Blackbaud, Inc. assured MWRIF that they paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, Blackbaud Inc.’s research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
We are notifying you so that you can take immediate action to protect yourself. Ensuring the safety of our constituents’ data is of the utmost importance to us. As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud, Inc. assures us that they implemented several changes that will protect your data from any subsequent incidents. First, the provider’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. They have confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, they are accelerating our efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities.
For more information please visit https://www.blackbaud.com/securityincident.
We deeply regret this incident occurred. While data breaches and ransomware attacks are becoming more common, this is not something we ever want to happen to our valued supporters. Your privacy is of the utmost importance to us.
Blackbaud has apologized to MWRIF and, on behalf of them and us, we sincerely apologize for any inconvenience this incident may cause you. If you have any questions or concerns regarding this matter, please do not hesitate to contact Colleen Straub, Director of Development at email@example.com or 412-641-8978.
We know that every gift made to MWRIF is a choice. Thank you for your support of our women’s health research. Science brings hope because of your generosity, and we are dedicated to keeping your trust.