28th July 2020
Age Exchange uses a supporter database owned by a company called Blackbaud. They are a market leader and provide a service to many charities and Universities both in the UK and abroad. We use their system to record our engagement with supporters and volunteers and it enables us to communicate easily with people.
We were notified late on Thursday 16th July about a criminal attack on Blackbaud’s servers in May. This has therefore meant that some details of our supporters have been accessed, including some personal information like their names, addresses and email details. We have been assured by Blackbaud that no financial or banking details were accessed. Age Exchange was one of a significant number of charities and academic institutions who have been affected.
We took immediate action and reported the attack to the Information Commissioners Office on Friday 17th July and have since filed a serious incident report with the Charity Commission.
As a matter of urgency we have sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. They have also reassured us that new safeguards have been put in place to prevent this happening again.
What do our supporters need to do?
No action is required of at this time; we have been assured by Blackbaud that there is a low risk to Age Exchange supporters as no financial information or passwords were accessed. We recommend you remain vigilant around suspicious emails and post.
Blackbaud has set out further details about the incident here
We take data security seriously and you can view our General Data Protection Regulations (GDPR) policy here.
What have Blackbaud done to rectify the situation?
Blackbaud have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. We are aware that they have paid a ransom to the cybercriminals for assurances that the stolen information has been destroyed. They have worked with law enforcement and a third-party company and have found no evidence that any of the information taken has been used, and continue to monitor for this.
They have informed us that new safeguards have been put in place to prevent this happening again.
What information was accessed?
The database that was affected includes supporters’ contact details (which may include phone number, email address and/or postal address) and some details of the nature of your relationship with us, including if they have donated money, attended a group or volunteered for us. No financial or banking details were accessed.
What has Age Exchange done since learning about the breach?
Within 24 hours Age Exchange took action to report the breach to the Information Commissioners Office. Additionally, we submitted a Serious Incident Report to the Charity Commission. We have also made a statement about the breach on our website and now that we have assurances from Blackbaud are writing to everyone in our database to inform them what has happened.
How confident are you that the private data has been destroyed?
Blackbaud have assured us that to the best of their knowledge the data has been destroyed, and their ongoing monitoring has shown no sign of any of the information being used fraudulently. We continue to monitor the situation and seek independent advice.
We take the issue of privacy of data seriously and we are really sorry for any distress this has caused. We will continue to seek assurances from Blackbaud about their systems and will remain vigilant. If we are dissatisfied with their security systems we will stop using them and seek a new provider.