Blackbaud data security incident
I am writing to you because you are a current or past supporter of the Vegetarian Society, or someone who has contacted us to use our charity services. I want to let you know we have been made aware of a security incident involving some of your personal data the charity holds.
You do not need to take any action in relation to this incident.
Below are further details of the incident and the steps we have taken in response.
Details of the breach
Like many charities, we use a third-party company to provide us with secure relationship management systems. The Vegetarian Society uses Blackbaud, one of the world’s largest providers of supporter database software to non-profit and education organisations. They informed us on 16 July 2020 that some of our data was involved in a ransomware attack they had been subjected to. The cybercriminal removed a copy of data which included information on some members and supporters, Vegetarian Society Cookery School attendees, and people contacting us for information. The backup affected was dated between 2 February and 20 May 2020. Any data in relation to any contact with the Vegetarian Society after that date will not have been included.
Many organisations internationally that use Blackbaud's services have been affected, including over 125 charities and universities in the UK.
Blackbaud has assured us the data compromised in the incident did not contain any password, bank account or credit card information.
Since being informed, we have been undertaking our own investigation to discover who and what type of data may have been affected.
Data which may have been affected
We believe your name and the contact information you shared with us may have been accessed.
Any engagement you might have had with the charity, such as signing up for a cookery school course, contacting us for information or advice about vegetarian issues, or a fundraising campaign.
The details of any membership of the charity or donation you may have given to us in past (but not any bank account or credit card details)
Blackbaud has confirmed to us that:
it has conducted an investigation (involving law enforcement agencies);
no passwords, credit card details or bank account information were affected; and
it obtained confirmation that the data removed by the cybercriminal was destroyed; and
it has no reason to believe any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly.
You can read Blackbaud’s statement on this issue here:
https://www.blackbaud.com/securityincident. You can also see the information contained in this email and updates on the progress of our investigation at
www.vegsoc.org/blackbaudsecurityincident.
Further steps
We have taken the following actions in response to this incident:
commenced a thorough investigation;
informed the Information Commissioner’s Office (ICO) about the breach;
asked Blackbaud to detail the steps it will take to ensure it will not be affected by similar incidents in the future;
asked for an explanation of the delay in Blackbaud informing us of this issue;
taken legal advice on the risk to everyone affected and what we should do.
You do not need to take any action in relation to this incident. However, we encourage you to remain vigilant and report any unusual activity or suspected identity theft promptly to the police. We recognise this news may cause you some concern and you can contact us if you want any further advice or reassurance.
We will let you know if there is any action you need to take in the future.
I want to assure you we take data protection very seriously. Our privacy notice gives details about how we use your data and how to opt out of data processing activities. You can view it here:
https://vegsoc.org/privacy-policy/. If you have any questions regarding this incident, please contact
hello@vegsoc.org.
Fay Counts
Head of Fundraising & Membership