Notice of Third-Party Data Breach
Notice of Data Breach, Blackbaud
July 2020
What Happened
We were recently notified by Blackbaud, athird-party database provider,ofa security incident. At this time, we understand they discovered and stopped a ransomware attack. After discovering the attack, Blackbaud’s Cyber Security team, together with independent forensics experts and law enforcement, successfully prevented the cyber criminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cyber criminal removed a copy of our backup file containing some of your personal information. This occurred at some point between February 7, 2020 and May 20, 2020.
It’s important to note that:
- The cyber criminal did not at any point access any encrypted credit card information, bank account information, or social security numbers.
- The file removed may have contained your contact information, demographic information, and a history of your relationship with our organization, such as donation dates and amounts.
- Blackbaud paid the cyber criminal’s ransom demand, with third-party expert confirmation that the data copy they removed had been destroyed.
- Based on Blackbaud and third-party (including law enforcement)investigations, we have no reason to believe that any data went beyond the cyber criminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
Respecting the privacy of our donors, staff, volunteers, students, and alumni data is of the utmost importance to us. Cristo Rey collects only essential personal information from constituents, maintains constituents’ personal information with reputable, third-party service providers,and does not share any personal information without written, expressed consent as codified in our employee Confidentiality Policy. Although we have no reason to believe this data breach will affect our constituents in any way, we are notifying our community to be transparent.
As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has already implemented several changes that will protect your unencrypted data from any subsequent incidents as explained by Blackbaud: “First, the provider’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cyber criminal, and took swift action to fix it. We have confirmed through testing by multiple third parties, including the appropriate platform vendors, that our fix withstands all known attack tactics. Additionally, they are accelerating our efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.”
We regret any inconvenience this incident may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please contact Laura Aguilar at (773) 890-6844 or laguilar@cristorey.net.
What You Can Do
Again, we have no reason to believe this data breach will affect our constituents in any way. However, as a best practice, we recommend you remain vigilant and promptly report any suspicious activity to the proper law enforcement authorities.Below you will find additional steps to help protect yourself.
Additional Resources
You may purchase a copy of your credit report by contacting one or more of the three nationwide reporting agencies:
- Equifax, PO Box 740241, Atlanta, GA 30374, 1-866-349-5191
- Experian, PO Box 9532, Allen, TX 75013, 1-888-397-3742
- TransUnion, PO Box 1000, Chester, PA 19022, 1-800-888-4213
You may also obtain a Free Credit Report. To order your annual free credit report by visiting annualcreditreport.com, or by calling toll free at 1-877-322-8228, or by mailing an Annual Report Request to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
You should remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit report for unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting agencies.
Federal Trade Commission and State Attorneys General Offices. You should immediately contact the Federal Trade Commission and/or the Attorney General's office in your home state if you believe you are the victim of identity theft or have reason to believe your personal information has been misused. You may also contact the Federal Trade Commission and/or the Attorney General's office in your home state for information on how to prevent or avoid identity theft. You can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes.
Fraud Alert. You may place a fraud alert by calling one of the three nationwide credit reporting agencies above. A fraud alert tells creditors to follow certain procedures, including contacting you before they open any new accounts or change your existing accounts. For that reason, placing a fraud alert can protect you, but also may delay you when you seek to obtain credit.
Security Freeze. You have the ability to place a security freeze on your credit report. A security freeze is intended to prevent credit, loans and services from being approved in your name without your consent. To place a security freeze on your credit report, you may be able to use an online process, an automated telephone line, or a written request to any of the three credit reporting agencies listed above. The following information must be included when requesting a security freeze: (1) full name, with middle initial and any suffixes; (2) Social Security number; (3) date of birth; (4) current address and any previous addresses for the past five years; and (5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles. The request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement. It is essential that each copy be legible, display your name and current mailing address, and the date of issue.