Mental Health Foundation statement on Blackbaud cyber-attack

On 16 July, the Mental Health Foundation was informed of a criminal ransomware cyber-attack on the servers of Blackbaud.  Blackbaud is the company that hosts the Foundation’s supporter database known as Raiser’s Edge.  A number of other charities and universities were targeted simultaneously

A file containing details relating to some of our supporters was part of this incident. We have been informed by Blackbaud that the file did not contain any credit card information. Furthermore, the cybercriminal did not gain access to bank account information, usernames, or passwords stored in our database because they were encrypted. None of our data was lost or corrupted as a result of this incident. 

We have sought assurances from Blackbaud about the steps it has taken to deal with the situation. It has told us that it believes all of the details that were accessed have now been destroyed. It has done its own forensic damage assessment and has reassured us that new safeguards have been put in place to prevent this happening again.

We will be contacting all our supporters affected by this incident. We urge all of our supporters to be wary of unusual communications and practice the usual caution around any suspicious looking phone calls, e-mails, letters, and requests for money. We apologise for any inconvenience this may cause.

At the Mental Health Foundation, we take any data breach involving our supporters extremely seriously and will meet all our regulatory obligations.  We have been in touch with the Information Commissioner’s Office and are contacting the Charity Commission.

If anyone is concerned or has further questions, please contact our data protection lead at: [email protected]

Blackbaud has set out further details about the incident here.

We take data security seriously. Our privacy notice details how we use your data, how we keep it safe and how to opt out of data processing activities. View our privacy policy here  https://www.mentalhealth.org.uk/privacy-policy.

 

Ends