The US-based company was targeted by a cybercriminal who accessed some of its client data, Third Sector reported last week, with national mental health charity Young Minds caught up in the ransomware attack.
Blackbaud is one of the largest providers of fundraising, financial management, and supporter management software to the UK charity sector.
The firm has apologised to customers and said that it has made changes to avoid a similar attack in the future. Blackbaud also paid the ransom to ensure that data would not be made publicly available or shared elsewhere.
In a statement, the organisation explained: “We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack. We have already implemented changes to prevent this specific issue from happening again.”
Blackbaud has so far declined to say how many clients were affected or give any breakdown by region or sector, citing client privacy, but said: “The majority of our customers were not part of this incident.”
Affected clients were contacted this month after the breach was discovered in May.
In an email to supporters Jon Sparkes, chief executive at Crisis, assured them that the risk to individuals’ data is very low.
Supporter information accessed by the hack includes names, addresses, email addresses and telephone numbers. However the charity said it is confident that financial information held by Blackbaud has not been breached.
“The breach affected a system that we stopped using in early 2018. Any information that you have given to us since then has not been affected,” said Sparkes.
Crisis said it has notified the Information Commissioner’s Office and is following their advice and guidance. The charity has also informed the Charity Commission.
Sparkes added: “Like you, we are incredibly frustrated by this incident. Please rest assured that we take your data and privacy seriously. We are continuing to investigate with Blackbaud and seeking advice about any further actions that need to be taken.”
Blackbaud said it has notified the ICO of the incident and is working with them and its customers, as well as with federal law enforcement agencies in the US.
A spokeswoman for the Charity Commission said: “We can confirm that both YoungMinds Trust and Crisis have submitted serious incident reports to the commission in relation to this breach, in line with our guidance on reporting serious incidents. We are currently assessing information to ensure the charities are responding appropriately and to determine our next steps.”