Important notification: Blackbaud data breach
For Immediate Release: Aug. 11, 2020
As an important stakeholder and supporter of Planned Parenthood Great Plains, we are providing you details of a cybersecurity incident recently experienced by Blackbaud, Inc., a vendor of Planned Parenthood Federation of America and several affiliates, including ours.
Blackbaud manages data management software and cloud computing software used by many nonprofit organizations. The security breach Blackbaud servers experienced compromised some donor data, including donors to Planned Parenthood Great Plains.
What happened:
Blackbaud identified a ransomware cyber attack affecting certain information stored on its servers in May of this year. They responded to and contained the situation with the aid of law enforcement and cybersecurity and forensics experts. Blackbaud stated that these teams successfully prevented the cybercriminal from blocking Blackbaud’s system access and they ultimately expelled the cybercriminal from their system. Prior to locking the cybercriminal out, however, the cybercriminal removed a copy of a backup file. (Read Blackbaud’s statement about the incident.)
Unfortunately, the file the criminal was able to remove was a portion of the data stored on the company's servers, which included some information about you and other donors. Blackbaud has assured us that credit card information and banking information were not accessed by the cybercriminal and remain encrypted. However, Blackbaud determined that the information removed and presumably destroyed may have included: names; contact information, including telephone numbers, email addresses, dates of birth, and mailing addresses; and a history of donor relationships with our organization, such as donation dates, amounts, and other information in donor profiles.
Blackbaud has obtained confirmation that the stolen data was destroyed and has no reason to believe the information was or will be misused or made publicly available. Blackbaud has also hired a third-party team of experts to continue monitoring for any web activity involving potentially compromised data.
While Blackbaud discovered and contained this attack in May of this year, the company did not notify its clients — including Planned Parenthood — until mid-July. To say the least, we find this delay unacceptable, and we are extremely dissatisfied with Blackbaud's lack of transparency around this incident. We are deeply committed to the privacy of our supporters and have been working diligently since we were notified to obtain substantial, accurate information to share with you.
What Planned Parenthood is doing:
The security and privacy of our supporters and stakeholders is of the utmost importance to us. We want to emphasize that as a policy, Planned Parenthood Great Plains never stores credit card or bank account information in our donor database systems. Planned Parenthood Federation of America’s team has been actively working on behalf of all affected affiliates with Blackbaud and has been assured that Blackbaud has already implemented several changes that will protect our data from any subsequent incidents. Those discussions are ongoing with Blackbaud, and PPGP will reach out with additional details if PPFA and Blackbaud’s joint analysis reveals more information on specific data exposure.
Although there is no action required from you at this time, and no credit card or banking information was exposed in the Blackbaud data breach, we want to provide you with contact information if you wish to speak to someone about this issue.
Again, we regret the inconvenience this breach may have caused you and we are working to hold Blackbaud to a higher standard of data security in the future. Please know we are committed to protecting your personal information, and will keep you informed of any further changes in this situation.
What you can do:
We want to emphasize again that Blackbaud has assured us that no credit card, bank account, or other information of that nature was compromised. However, as a best practice, we recommend that supporters remain vigilant. If you receive unsolicited requests for donations from us or other nonprofits, then call the number on the organization’s website to confirm the legitimacy of the solicitation.
If you would like specific information related to this security breach, please visit Blackbaud’s resource page. If you have any additional questions, please do not hesitate to contact us via email at [email protected] or by calling 913.345.4696.
You may also contact the Planned Parenthood national office for more information about the breach at Blackbaud and how Planned Parenthood will hold vendors to a high standard by clicking here or by calling 800.430.4907.
You can view the details of our Privacy Policy here, and if you want to learn more from Blackbaud, here is their resource page: https://www.blackbaud.com/securityincident.
Our commitment:
We deeply regret that this incident occurred. While data breaches and ransomware attacks are becoming more common, this is not something Planned Parenthood Great Plains ever wants to happen to our valued supporters. The privacy of our supporters is of utmost importance to us.
Blackbaud has apologized to Planned Parenthood and, on behalf of Blackbaud and Planned Parenthood Great Plains, we sincerely apologize for any inconvenience this incident may cause you.
We know that every gift made to our organization is a choice. Thank you for your support of our work to provide and protect access to sexual and reproductive health care. Our mission is only possible because of your generosity, and we are dedicated to keeping your trust.