Blackbaud data breach

UPDATE 5/10/2020:
Further to the initial information provided to us by Blackbaud, detailed below, it has been disclosed that the cybercriminal 'may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords'.

However, this only affected a small number of the organisations involved in the breach, and we are happy to say that that doesn't include us. Blackbaud have reiterated that the data breach did not involved access to credit card details.

On 16th July we were notified by Blackbaud, the company that hosts our supporter database, that we were one of a large number of charities and other organisations affected by a cyber attack that occurred in May 2020. Blackbaud is one of the largest fundraising database providers and is used by charities across the world. The attack involved their systems being hacked into and some of the information being stolen and held to ransom, to make the target company buy it back.

The attack is considered as low risk, as Blackbaud have assured us that none of our supporters’ financial details (including bank account or credit card details, passwords or usernames) were accessed. When we put a supporter's financial details on our database, they are immediately encrypted, and no encrypted data was accessed.

However, we're sorry to say that some personal information was accessed by the hacker, including names, email addresses, postal addresses, phone numbers and donation history (dates and amounts). Blackbaud has confirmed that, to the best of their knowledge, all the data has been destroyed and that they have no reason to believe that any data will be misused or made publicly available.

We have reported the attack to the Information Commissioner’s Office (ICO), the Charity Commission and Action Fraud. Along with all other affected charities (and there are many), we are awaiting further information from Blackbaud to let us know how their systems were breached and how they will prevent a similar attack from happening again. If we’re not satisfied with their response, we’ll move our database to a different provider.

If you have any further questions or concerns, please get in touch with us at