NOTICE OF BLACKBAUD CYBERSECURITY INCIDENT
August 7, 2020
On July 16, 2020 the Edmonton Humane Society (EHS) was advised of a data security incident that may have involved the personal information of our supporters. EHS takes the protection and proper use of your donor information very seriously and in the interest of transparency, we are committed to providing details of the incident.
We were notified by Blackbaud, the third-party service provider who hosts the database used in managing EHS’ fundraising activities, of a security incident. At this time, we understand Blackbaud discovered and stopped a ransomware attack. After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of the EHS backup file containing personal information of our supporters. This occurred at some point beginning on February 7, 2020 and access could have incurred intermittently until May 20, 2020.
Because protecting customers’ data is their top priority, our third-party service provider, Blackbaud, paid the cybercriminal’s demand with confirmation that the copy they removed containing EHS’ data had been destroyed. Based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly, and has been destroyed.
What Information Was Involved
It is important to note that the cybercriminal did not access credit card information or bank account information, which is encrypted. Based on the information Blackbaud provided, EHS has determined that the copy of the file removed may have contained the following:
- name and contact information
- demographic information
- history of relationships with our organization, such as donation dates and amounts
As mentioned above, based on the actions that Blackbaud has taken there is no reason to believe that this information went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud is confident the data has been destroyed.
What We Are Doing
In the interest of being transparent with our valued donors, EHS is posting this advisory to notify our supporters in the unlikely event there is any suspicious activity or suspected identify theft. We have also advised the Office of the Information and Privacy Commissioner of Alberta (OIPC) of the incident. Ensuring the safety of our constituents’ data is of the utmost importance to us.
As part of Blackbaud’s ongoing efforts to help prevent something like this from happening in the future, they have already implemented several changes that will protect our data from any subsequent incidents.
Blackbaud’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. They have confirmed through testing by multiple third parties, including the appropriate platform vendors, that the fix withstands all known attack tactics. Additionally, Blackbaud is accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do
As a best practice, EHS recommends you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities.
We sincerely apologize that this incident occurred and regret any inconvenience it may cause you.
Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact EHS’ Privacy Officer Connie Muller, Director, Finance and Human Resources at [email protected].
If you would like to speak to someone in our Fund Development Office, please email us at [email protected] or call our office at (780) 491-3507.
For more information from Blackbaud regarding this incident, please visit blackbaud.com/securityincident.
For media inquiries, please contact [email protected].