We have been contacting our supporters to let them know that their data has been affected by a data security incident at Blackbaud, the firm who run our supporter database. We want to reassure you that the breach is low risk, but we wanted you to be aware of the situation.
Update 2 October 2020: Further to the BBC article published this week, we have been assured by Blackbaud that no bank details and passwords have been affected on our system. The information on this page is still correct and there is no cause for further concern.
Like many charities, universities, arts organisations, healthcare providers and other institutions, we use Blackbaud's database services to store information about our donors, contacts and email subscribers. The media has reported that many other organisations have been affected.
What Autistica data this affects
The data accessed by the cybercriminal may have contained some or all of the following information you have provided to us as part of your support of Autistica:
- basic details such as name, title, gender, postal addresses and contact details
- a record of your engagement with us including fundraising activities and events
- professional details if relevant
- information you have given to us to personalise our contact with you, such as whether you are autistic, a family member, or a researcher
What we know so far
Blackbaud recently informed us that they have been the victim of a ransomware attack between February and May 2020. They managed to lock the cybercriminal out of their systems, but the cybercriminal was able to remove a copy of data from some of Blackbaud’s clients - including Autistica. Blackbaud has informed us that they paid a ransom in return for assurances that the stolen data had been destroyed.
Your financial data is not at risk
We would like to reassure you that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber-security experts. Blackbaud have confirmed that the investigation found that no encrypted information, such as credit card information or passwords, was accessible.
What we have done
As soon as we were informed, we launched our own investigation, informed the Information Commissioner’s Office and the Charity Commission. We have contacted all those with email addresses on our database and are in the process of writing to all those without email addresses.
What we are doing to secure your data
We take our data protection responsibilities very seriously and we believe that the risk of harm from this incident is low. We are absolutely committed to minimising any risks to your data in the future and want to assure you we are already taking further steps to minimise risks, in addition to seeking reassurances from Blackbaud about additional steps that it will itself take to safeguard your data.
Why our contacts are low risk
We appreciate that this may be concerning for you and we are committed to supporting you in any way we can. We are very frustrated and sorry that this has happened but the risk to you is low. Most people on our database have very minimal information on the system. As always, be wary of emails that come into your inbox asking for personal details or money. We have no reason to believe that your data has gone any further than the cybercriminal who destroyed it on Blackbaud's request.
Contacting everyone on our database is a huge and complex task for a charity of our size, but we have tried our absolute best to get in touch with everyone. If you have not heard from us and have further questions, please get in touch with James Cusack, CEO at firstname.lastname@example.org.
Thank you for your continued support and understanding with this difficult situation.