The Charity Commission has confirmed that more than 30 UK charities have been affected by the Blackbaud ransomware attack.
The regulator said it had recieved 33 serious incident reports in relation to the attack after data was stolen when hackers targeted the US-based software provider.
Blackbaud is one of the largest providers of fundraising, financial management, and supporter management software to the UK charity sector.
The company has apologised to customers and said that it has made changes to avoid a similar attack in the future. Blackbaud also paid the ransom to ensure that data would not be made publicly available or shared elsewhere.
Affected clients were contacted this month after the breach was discovered in May.
In a statement, the organisation explained: “We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again.”
However, Blackbaud has so far declined to say how many clients were affected or give any breakdown by region or sector, citing client privacy, but said: “The majority of our customers were not part of this incident.”
The industry regulator has advised all charities considering using cloud technology to read and use the National Cyber Security Centre’s Cloud Security Guidance. Its Protect Your Charity From Fraud and Cybercrime guidance can be found here.
A spokeswoman explained that the NCSC and the Charity Commission have worked together to develop several resources relevant to charities of all sizes, including the Cyber Security: Small Charity Guide, and the Board Toolkit for larger charities.
The NCSC has also produced an e-learning training package: Stay Safe Online: top tips for staff and the Fraud Advisory Panel has an online resource that advises how to protect charities from cyber fraud.
Alan Bryce, head of development, counter fraud and cybercrime at the commission, said: “When a cyber attack targets a charity, its effects are felt beyond data and systems – it can harm the valuable work a charity does or the people it is set up to help. Charities are increasingly reliant on IT and technology to deliver on their purposes and so it’s vital that we are all alert to the risks posed by malicious cyberactivity.”
Bryce encouraged all charities to make use of the available resources to strengthen their defences.
“Do not wait until it is too late for your charity,” he added.
A spokeswoman for the Information Commissioner's Office advised organisations involved to get in touch with their customers to inform them if their personal data has been impacted.
“People have the right to expect that organisations will handle their personal information securely and responsibly,” she said in a statement.
“Anyone with any concerns about how their data has been handled should raise those concerns with the organisation first, then report to us if they are not satisfied.”