Home Notice of Blackbaud Data Breach

Notice of Blackbaud Data Breach

Food Banks Canada has recently learned that our third-party fundraising software provider, Blackbaud, has experienced a data security breach that has impacted many of its clients around the world, including Food Banks Canada. Unfortunately, this data security breach at Blackbaud involves personal information of some of our stakeholders.

While the data security breach did not occur at Food Banks Canada, we take the protection and proper use of personal information very seriously and ensuring the safety of this information is of the upmost importance to us, no matter where it resides.

What Happened
On July 16th, Food Banks Canada was notified by Blackbaud of a data security breach. Blackbaud had advised that they were a victim of a sophisticated ransomware attack. After discovering the attack, Blackbaud’s cyber security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system.  Prior to locking the cybercriminal out, the cybercriminal removed a copy of a backup file from the Blackbaud system, which contained some of our stakeholder information. This occurred between February 7, 2020 and May 20, 2020.

While it is our understanding that this breach has impacted organizations internationally, this letter is only in reference to Food Banks Canada. More information on the breach may be found at https://www.blackbaud.com/securityincident.

What Information Was Involved
The backup file in the Blackbaud system may have included information about stakeholders including a subset of our donors and others that may have engaged with Food Banks Canada. This information may include names, addresses, email addresses, phone numbers and giving history to Food Banks Canada (including donation amount(s), payment method, card type and if a donation was to a specific giving area). No credit card or banking information was compromised, except the payment method by which a donation was made to Food Banks Canada (ex. credit card or cheque) and the card type used to make the donation (ex. Visa, Mastercard, American Express). That is, no credit card numbers, credit card expiry dates, credit card security codes, or bank account numbers were compromised.

Following their investigation into the event, Blackbaud opted to pay the cybercriminal’s demand only after receiving credible confirmation that the copy of the backup file had been destroyed by the cybercriminal.

Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has advised that they have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud has also hired outside experts to monitor the web and have found no evidence that any information has been released.

What We Are Doing
Food Banks Canada takes the protection and proper use of personal information very seriously and ensuring the safety of this information is of the upmost importance to us.

We are posting this on our website out of an abundance of caution to ensure all of our stakeholders are aware of the situation.

We have sent e-mails or letters directly to potentially affected individuals for whom we have current contact information.

We met with Blackbaud who has confirmed they were able to identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has fixed the vulnerability. Blackbaud has reported that they have confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, Blackbaud is accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms and we will work closely with Blackbaud to understand what actions they are taking to increase their security. As noted above, Blackbaud has engaged with law enforcement as part of their investigation into this incident.

What You Can Do
As always, you should remain vigilant with respect to unsolicited emails. Remember, Food Banks Canada will never contact you requesting any password information or log in credentials. If you ever notice suspicious activity, you should of course report it to the appropriate authorities and organizations.
 
If you ever have any concerns about the validity of any contact you receive from Food Banks Canada, you may find our contact information independently through our website at foodbankscanada.ca and contact us to confirm.
 
Below are some additional resources that you may find useful:
For More Information
We sincerely apologize for and regret any inconvenience this incident may cause you.

Should you have any questions or concerns regarding this matter we have set up a dedicated call centre which can be reached at 1-833-683-5857, available between 9am to 5pm EST Monday through Friday.

Sincerely,
Chris Hatch
Chief Executive Officer
Food Banks Canada
 
Deborah O’Bray
Chair, Board of Directors
Food Banks Canada