Blackbaud Security Incident

INCCRRA is committed to protecting the security and privacy of our data. Regrettably, we recently learned of an incident that occurred at one of our third-party accounting vendors, Blackbaud, Inc., that may have involved INCCRRA data.

What happened?
We were recently notified by our third-party accounting service provider, Blackbaud, of a security incident. At this time, we understand they discovered and stopped a ransomware attack. After discovering the attempted attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of our backup file containing personal information. We immediately took steps to understand the extent of the incident and the data involved.

What information was involved?
It’s important to note that the cybercriminal did not access credit cardholder data. However, we have determined that the file removed may have contained name, address, social security number, and in some instances bank account number. This information was in a Blackbaud database that was used by INCCRRA until 2008.
Because protecting customers’ data is their top priority, Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Based on the nature of the incident, their research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.

How are we responding?
We want all affected to know that we are taking this matter very seriously.  We are notifying those affected so they can take action to protect themselves.  Blackbaud is offering single bureau credit monitoring, protective fraud assistance, and identity theft and fraud resolution services to those affected.  
Ensuring the safety of the data is of the utmost importance to us.  While Blackbaud has informed us that it has no reason to believe any data was or will be misused, disseminated or otherwise made publicly available, we recommend affected individuals review credit reports and bank statements. If individuals see services they did not receive, please contact the provider immediately. 

To help prevent something like this from happening again, we are evaluating our arrangement with Blackbaud and its security safeguards.  We sincerely apologize for this incident and regret any inconvenience it may cause.

Content Loaded - 11/5/2020
Content Edited - 2/8/2021