Craig Foundation (“the Foundation”) is a charitable organization benefiting the activities of the not-for-profit rehabilitation hospital, Craig Hospital. As a part of its operation, the Foundation uses the cloud-based database and fundraising management tool provided by Blackbaud, Inc. (“Blackbaud”).
On July 16, 2020, Blackbaud notified the Foundation, as well as hundreds of other customers of its products, that it was impacted by a ransomware event. According to Blackbaud, in May 2020, ransomware was deployed within Blackbaud’s environment, and some data was exfiltrated out of its systems. At the time of its July report, Blackbaud explained that none of the Foundation’s data stored in Blackbaud’s tools was affected by the incident.
On October 14, 2020, Blackbaud alerted the Foundation that its July report was incorrect. In this follow-up notice, Blackbaud explained that some of the Foundation’s data stored in Blackbaud tools was in fact affected by the incident. Upon learning this new information from Blackbaud, the Foundation immediately began reviewing its internal records to identify who may have been affected. On January 15, 2021, that review concluded that the unauthorized party could have accessed certain personal information pertaining to some of our donors and vendors, such as their names, dates of birth, Social Security numbers, driver’s license numbers, and limited medical information.
On February 15, 2021, the Foundation mailed letters to all individuals that were potentially impacted by the incident and for whom it has a mailing address. The potentially involved individuals should refer to the letter they received in the mail regarding steps they can take to protect themselves. These individuals may obtain additional information by calling the Foundation’s confidential inquiry line at 1-888-545-5852 between 8:00 a.m. to 5:00 p.m. Central Time, Monday through Friday.
As a precautionary measure, the potentially involved individuals should remain vigilant about protecting themselves against potential fraud or identity theft by, among other things, reviewing their account statements and monitoring credit reports closely. If individuals detect any suspicious activity on an account, they should promptly notify the financial institution or company with which the account is maintained. Individuals should also promptly report any fraudulent activity or any suspected incidents of identity theft to the proper law enforcement authorities, including the police and the Attorney General of their state.
Potentially involved individuals may also wish to review the tips provided by the Federal Trade Commission (“FTC”) on fraud alerts, security/credit freezes and steps that they can take to avoid identity theft. For more information and to contact the FTC, please visit www.ftc.gov/idtheft or call 1-877-ID-THEFT (1-877-438-4338). These individuals may also contact the FTC at: Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.
Contact information for the three national credit reporting agencies is as follows:
The Foundation values the trust its donors place in it to protect their information and apologizes for any inconvenience that this incident at Blackbaud might cause.
Blackbaud's explanation of the incident can be found here: https://www.blackbaud.com/securityincident.