Hackers may have accessed the personal data of donors to several local organizations and nonprofits, including Thomas Jefferson’s Monticello, following an international data breach this past spring.
Blackbaud, one of the world’s largest institutional providers of fundraising management systems, informed its 35,000 clients last month that it had been the victim of a ransomware attack lasting intermittently from February until May, according to a news release from the company.
Though the attack eventually was offset, a copy of a subset of data was removed by the cybercriminal, leading Blackbaud to pay the criminal’s demand. According to Blackbaud, the information accessed did not include credit card information, bank account information or Social Security numbers.
Following Blackbaud’s announcement of the attack, several local nonprofits and a school sent emails to their donors informing them of the attack. In addition to Monticello and James Madison’s Montpelier, as previously reported, those affected locally were Woodberry Forest School and McIntire Botanical Garden.
The University of Virginia uses limited Blackbaud-hosted data services, according to spokesman Brian Coy, and UVa has no reason to believe that its data was misused.
Leslie Greene Bowman, president of the Thomas Jefferson Foundation, which owns and operates Monticello, sent an email to donors on Aug. 10 detailing the attack and reassuring donors that their information had not been misused.
“This security breach was low-risk for data exposure, but it is always important to remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities,” Bowman wrote.
An email attributed to Catherine Wharton, chief development officer at Woodberry Forest, detailed some of the information that may have been accessed by the cybercriminal.
“It is our current understanding that the potentially impacted data may have contained your contact information and a history of your relationship Woodberry, including a history of giving,” the email reads.
An email sent Aug. 22 by McIntire Botanical Garden said the donor information theft may have included names, physical and email addresses, telephone numbers and giving history. No credit card or bank account information or Social Security numbers were accessed, the email said.
“MBG does not retain this type of sensitive information in our database,” the email said.” “Based on the nature of the incident and law enforcement investigations, Blackbaud believes that no data went beyond the cybercriminal or was misused before being destroyed.”
Similarly, in an email sent earlier this month, Montpelier Foundation President and CEO Roy F. Young II apologized for any inconvenience the cybercrime may cause donors and urged people to contact the foundation with questions or concerns.
Blackbaud has “implemented several changes that will protect your data from any subsequent incidents,” Young wrote. “As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities.”
According to Cristine Nardi, executive director of the Center for Nonprofit Excellence, the Charlottesville organization does not keep a list of which nonprofits in the region use Blackbaud and so it is unclear if any other local groups were affected.