Cyber security incident
An update on a cyber security incident, July 2020.
July 21 2020
We were notified late on Thursday 16th July about a criminal attack on Blackbaud’s servers in May. Blackbaud are the company that host our supporter database, and the database of several other charities. This has therefore meant that some details of our supporters have been accessed, including some personal information like their names, addresses and email addresses. No financial or banking details were included in the database.
As a matter of urgency we have sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. They have also reassured us that new safeguards have been put in place to prevent this happening again. We have decided to report this incident to both the ICO and Charity Commission at the earliest opportunity to ensure that they are fully aware.
We have been assured by Blackbaud that there is a low risk to YoungMinds’ supporters, but all the same we would urge all of our supporters to continue to be wary of unexpected communication and practise the usual caution around suspicious emails and letters.
If anyone is concerned or has further questions please contact our data protection lead at: [email protected]
Blackbaud has set out further details about the incident here.
We were notified late on Thursday 16th July about a criminal attack on Blackbaud’s servers in May. Blackbaud are the company that host our supporter database, and the database of a large number of other organisations. This has therefore meant that some details of our supporters have been accessed, including some personal information like their names, addresses and email addresses.
What have Blackbaud done to rectify the situation?
As a matter of urgency we have sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. We are aware that they have paid a ransom to the cybercriminals for assurances that the stolen information has been destroyed. They have worked with law enforcement and a third-party company and have found no evidence that any of the information taken has been used, and continue to monitor for this.
They have informed us that new safeguards have been put in place to prevent this happening again.
What information was accessed?
The database that was affected includes supporters’ contact details (which may include phone number, email address and/or postal address) and some details of the nature of their activity with us, including if they have donated money, purchased a publication or signed a petition. No financial or banking details are included in the database.
What has YoungMinds done since learning about the breach?
At the earliest opportunity, YoungMinds took action to report the breach to the Information Commissioners Office and took advice from a company specialising in data management and data breaches. Additionally, we submitted a Serious Incident Report to the Charity Commission. We also made a statement about the breach on our website. We continue to seek clarity from Blackbaud about how the breach occurred and confirmation of which data may have been accessed, and will notify individuals if it appears that sensitive data has been accessed. We have also consulted with our IT service provider to ensure that our internal systems are secure.
How confident are you that the private data has been destroyed?
Blackbaud have assured us that to the best of their knowledge the data has been destroyed, and their ongoing monitoring has shown no sign of any of the information being used fraudulently. We continue to monitor the situation and seek independent advice.
What steps can our supporters take to protect themselves?
We would recommend to all supporters to continue to take the usual steps maintaining caution. More information about protecting against fraud can be found here: https://www.met.police.uk/advice/advice-and-information/fa/fraud/personal-fraud/prevent-personal-fraud/#:~:text=Don't%20hand%20over%20money,don't%20know%20or%20trust.
Was any sensitive information about young people taken?
No. Any potentially sensitive data about young people is kept securely on a different database. Therefore this information was not accessed.
Was any financial information about supporters taken?