Blackbaud Data Security Incident Affects VPR Among Other Nonprofits

Jul 23, 2020

On July 16, 2020, VPR learned of a data security incident by Blackbaud, the engagement and fundraising software service provider we use for our membership program. The incident affected nonprofits and higher education institutions around the world, including several in Vermont.

Blackbaud informed us that they discovered and stopped a ransomware attack and, with the help of independent forensics experts and law enforcement, successfully prevented the cybercriminal from blocking or encrypting files. 

This incident occurred on February 7 and continued until May 20. During the incident, a backup file containing information of some individuals was acquired. According to Blackbaud, they paid the cybercriminal a ransom to ensure the backup file was permanently destroyed. A detailed explanation is available on Blackbaud’s website.

What Information Was Involved
As reported by Blackbaud, member credit card and bank account information was not compromised. However, we have learned that the cybercriminal was able to access member demographic information, contact information, and donation histories.

Based on the nature of the incident, their research, and third party investigation (including law enforcement), Blackbaud informed us that they have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. The company has hired a third-party team of experts to continue monitoring for any such activity.

What We Are Doing
Ensuring the security of our members’ data is of the utmost importance to us, and we have notified members of this incident. Blackbaud informed us that they identified the vulnerability associated with this incident, took swift action to fix it, and is further enhancing its security controls. Upon receiving the notice, we immediately implemented our response plan and are working with privacy legal counsel to learn the full scope of the incident. If we determine that personal information was acquired by the attackers, we will notify any individuals whose personal information was involved.

What Members Can Do
Although there is currently no evidence that members’ information will be misused, as a best practice, we recommend that all members remain vigilant and promptly report any suspicious activity or suspected identity theft to the Vermont Attorney General’s Office.

For More Information
We take data security very seriously and deeply regret any concern this may cause. If you have further questions, please do not hesitate to contact member services at membership@vpr.net.