July 23, 2020; VT Digger
One of the last things that any nonprofit wants to do is tell donors that their personal information has been compromised, but that is the position many nonprofits around the country have found themselves in after Blackbaud – widely used by larger nonprofits in fundraising – was hacked.
Making matters worse, the hack occurred between February and mid-May, but Blackbaud’s nonprofit customers were apparently not informed until July 16. Blackbaud has not shared the names of the nonprofits who had their data compromised, and there has been little coverage of the issue in the United States.
So how would donors know that their information may have been compromised? It’s up to nonprofits to let them know and that may not be following a standard protocol.
Sign up for our free newsletters
Subscribe to NPQ's newsletters to have our top stories delivered directly to your inbox.
A statement released by Blackbaud said that the ransom demand had been paid after confirmation that all files had been destroyed, but that does not relieve the nonprofits involved from needing to inform donors that their privacy had been breached.
Middlebury College in Vermont informed its donors the day after they got the information from Blackbaud and Vermont Public Radio is doing the same, specifying to their 25,000 current donors that their names, phone numbers, addresses, and donor histories – but not their bank information – were stolen. Those donors are responsible for almost two thirds of the station’s budget.
But the Vermont Foodbank still has not done the same with its donors, relying on Blackbaud’s assurances that no “sensitive information” was accessed.
In 2019, Blackbaud was working with 45,000 nonprofits, foundations, companies, educational institutions, and health care organizations internationally. Human Rights Watch (HRW) also found its information was compromised; it’s not only informing every contact, but also ending its contract with Blackbaud. The costs of this breach are likely to be very high, as each of the organizations launches its own investigation to pinpoint whose information was affected and waits to see if there is a fall-off of donors. —Ruth McCambridge
Correction: This article has been altered from its initial form. As of July 23, 2020, the Vermont Foodbank has notified its donors. “It is our understanding that no sensitive information was involved in their incident,” said Nicole Whalen, director of communications and public affairs. “This means no financial information (including credit card or bank account information) was involved. We are also conducting our own investigation with a privacy expert to confirm that the information of our donors was not affected.” Human Rights Watch is not headquartered in the UK, nor did they issue a statement regarding other organizations. NPQ regrets the errors.