September 7, 2020; Portland Press Herald (Portland, ME)
Even as many nonprofits are working to understand the extent to which the pandemic and the resultant economic downturn will affect their revenue, a number of hospitals, social service programs, human rights, and art organizations have the extra worry associated with Blackbaud’s massive security breach—and the number’s not small.
The hack accessed the personal information belonging to a mind-boggling array of nonprofit donors both in the US and abroad. Blackbaud knew about the breach in May but did not start notifying its clients until July, leaving the nonprofits impacted to establish their own protocols and timelines for notifying donors. In Maine, the Portland Press Herald reports that LifeFlight of Maine let its donors know their information had been compromised last week, following similar revelations in August from the Northern Light Health Foundation, the Opportunity Alliance, and Maine Cancer Foundation.
Although there’s no evidence that donor Social Security numbers or bank information were exposed, all of this is eating up enormous amounts of time and attention—and, one presumes, good will. A description of the process LifeFlight had to go through provides some sense of it:
Anna Dougal, director of development for the [LifeFlight Foundation], said her organization was notified of the breach by Blackbaud in mid-July and has been working with the company to try to determine the extent of the damage. She said the hackers got some fundraising, demographic, and contact information on donors, but no bank account or credit card numbers.
Dougal said she and Blackbaud were able to determine that the hackers had not been able to access some of LifeFlight’s encrypted information, and that the company and law enforcement officials have gone looking for some of the data that was stolen and have been unable to find it on illicit websites where such information would normally be sold. She said Blackbaud officials told her that’s why they believe that the hackers did, in fact, destroy the data after the ransom was paid.
In North Dakota, meanwhile, the Valley City State University Foundation, the University of North Dakota Alumni Association and Foundation, the North Dakota State University Foundation, and the Minot State University Development Foundation were all notified in July about the breach. They’re just informing their donors about it now by email—three and a half months after Blackbaud first discovered the problem.
It remains unclear how the data breach will affect donor behavior, but the Opportunity Alliance says it hasn’t heard from donors reporting any impact from the breach.—Ruth McCambridge