NOTICE OF DATA BREACH
We are writing to let individuals who have made donations to Catholic Charities of St. Paul and Minneapolis know about a global data security incident that may have involved their personal information. Catholic Charities takes the protection and proper use of donor information very seriously. We are posting this notice to explain the incident and provide donors with steps they can take to protect themselves.
We were recently notified by our database service provider, Blackbaud Inc., of a global security incident impacting many nonprofits. At this time, we understand they discovered and stopped a ransomware attack. After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from the system.
What Information Was Involved
It’s important to note that the cybercriminal did not access your credit card information, bank account information, or social security number.
However, Blackbaud has determined that the file removed may have contained your name; contact information, including telephone numbers, email addresses, and mailing addresses; and a history of your relationship with our organization, such as donation dates and amounts. Constituents who started a relationship with Catholic Charities since May 2020 are not affected.
Because protecting customers’ data is their top priority, Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, their research, and a third party (including law enforcement) investigation, they do not believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We and Blackbaud Are Doing
As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has implemented several changes that will protect your data from any subsequent incidents:
First, their teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. They have assured us that they have confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, they are accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do
Again, no credit card, bank account, or other sensitive information of that nature was compromised, to our knowledge. However, as a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities such as the Federal Trade Commission, and the Office of the Minnesota State Attorney General.
For More Information
We sincerely apologize for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact me at Hayley.Mueller@cctwincities.org or 612-204-8505.