Blackbaud data breach statement


Out of an abundance of care and caution, we wanted to make you aware of a data breach involving one of our data providers, Blackbaud, who are one of the world’s largest providers of customer relationship management software. Like many charities, schools, and universities worldwide, we use Blackbaud to help us manage our donor database.  

Blackbaud alerted us on 4th August that in May it had been the victim of a ‘ransomware’ attack (an attempt by cybercriminals to hold an organisation’s computer files hostage unless and until payment is made to the cybercriminal). According to Blackbaud, with the help of forensic experts and law enforcement, it was able to stop and resolve the attack, but not before the cybercriminals had removed certain backup files that may have contained some of your personal information.  

Blackbaud have advised that the stolen data has been destroyed and there is no reason to believe the data was or will be misused or will be disseminated or otherwise made available publicly. However, as is the case with any cybercrime, it cannot be entirely ruled out that your personal information may have been subject to unauthorised access.  

Blackbaud have confirmed that their investigation found that no encrypted information, such as bank account details or passwords, was accessible. The data that was affected from Over The Wall comprises donor 

  • names,  
  • postal addresses,  
  • email addresses,  
  • telephone numbers and  
  • giving history 

and only where we have recorded that information on our donor database.  

Our response  

We have undertaken a review of the information we hold on Raisers Edge, and are content that the data potentially accessed poses very minimal or no risk to individuals or organisations named because much of this data is open source and likely to be easily accessible elsewhere.  

We are working with Blackbaud to understand why there was a delay between discovering the breach in May and their notifying us on 4th August, as well as what actions they have taken to increase their security.  

We have initiated security queries with our other IT and database providers. 

We have informed the Information Commissioner’s Office (ICO) of the breach and the delay by Blackbaud in notifying us and have also notified the Charity Commission, OFSTED and the Care Inspectorate who each have a role in overseeing and regulating our activities.  

We have emailed everyone on our database where we have an email address on record. This is likely to be everyone we have been in contact with over the past 5 years or more. We have decided not to send out postal notifications given the low risk associated with this breach and the cost/effort involved in doing so at a time when most of our staff are homeworking. This website notices aims to supplement our personal communications. 

Your Response 

There is no need for anyone who believes their details may have been compromised to take any action at this time. We simply recommend that individuals remain vigilant and promptly report any suspicious activity or suspected identity theft to the Police. If anyone would like to contact Over The Wall in relation to this matter, please contact us on info@otw.org.uk using ‘Blackbaud Data Breach’ as the email title. 

We very much regret the inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our supporters’ continued support.  

Kevin Mathieson, CEO 
5th August 2020