Recommendations for Nonprofits Using Blackbaud Raiser’s Edge or Nxt
In May of 2020, Blackbaud discovered and stopped a ransomware attack. Prior to them locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from Blackbaud’s self-hosted environment. According to an official statement made by Blackbaud, the cybercriminal did not access credit card information, bank account information, or social security numbers.
In accordance with regulatory requirements, Blackbaud is notifying all organizations whose data was part of this incident and is providing resources and tools to help them assess this incident. The email was sent your organization’s administrator on July 16, 2020. Some organizations may not have an admin on file, so in that instance, Blackbaud emailed the person on file who handles invoices and payment. Check with both individuals in your organization to see if they received notification.
If you did not receive an email, your data was not included in the Cyberattack. No action is needed, though, we would recommend that all Raiser’s Edge users change their passwords immediately.
If you did receive notification, that email includes a personalized link and next steps to take, depending on the level of information that was obtained from your organization as a result of the Cyberattack. The personalized link will take you to a description of what data exactly was compromised in the attack.
For some organizations, it was only a Data Health Report. For others, an encrypted version of your database backup may have been part of the incident. Blackbaud assures all customers the criminal did not gain access to bank account information, usernames, passwords, or social security numbers.
Most organizations will not have legal need to notify their constituents. In the email sent to your administrator, Blackbaud has included a customized link for your organization with access to a resource page featuring a step-by-step toolkit on next steps. The toolkit provides a written guide to notification laws, and we advise you to consult with your organization’s legal counsel to understand if notification is required at all.
If after reviewing your customized link, the toolkit, and other resources, you will have questions, contact the dedicated team which has been created to handle this incident (not your account rep): 1-855-907-2099 between 9 a.m. and 9 p.m. ET Monday – Friday.