Blackbaud Security Breach Notification
To Our Friends and Donors
We are writing to let you know about a data security incident that may have involved your personal information. Homeward Pet takes the protection and proper use of your information very seriously. Therefore, we are contacting you to explain the incident and provide you with steps you can take to protect yourself.
What Happened
We were recently notified of a cybersecurity incident by one of our service providers, Blackbaud, Inc. We use Blackbaud’s services to process donations to our organization and to help manage our donor records. According to Blackbaud, it suffered a ransomware attack in which a cybercriminal gained access to its computer network and files and tried to prevent Blackbaud from using its data files. Blackbaud informed us that, as part of this incident, the cybercriminal may have been able to access files that contained some of your personal information, although there is not a clear indication that an unauthorized user actually accessed your information. Blackbaud has reported that, with the help of cybersecurity experts and law enforcement, it ultimately expelled the cybercriminal from its systems. According to Blackbaud, this incident occurred on February 7, 2020, and the criminal could have accessed their system until May 20, 2020.
What Information Was Involved
It’s important to note that the cybercriminal did not access your credit card information, bank account information, or social security number. Blackbaud explained that this information was encrypted, so the cybercriminal was not able to access it. However, we have determined that the file removed may have contained your contact information, demographic information (age, date of birth, marital status), and a history of your relationship with our organization, such as donation dates and amounts.
Blackbaud paid the cybercriminal’s demand and received confirmation that the data copy they removed had been destroyed. Based on the nature of the incident, their research, and third-party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
We are continuing to monitor reports and gather other information about the incident. The incident did not involve our systems, but we are examining our security and other ways to protect your data, such as evaluating how we collect and store personal information. Although we are not certain that the cybercriminal accessed your information in particular, we are notifying you so that you can take immediate action to protect yourself. Ensuring the safety of our constituents’ data is of the utmost importance to us.
As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has advised us that it has implemented several changes that will protect your data from any subsequent incidents. According to Blackbaud, it was able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. Blackbaud reports that it has confirmed, through testing by multiple third parties, including the appropriate platform vendors, that its security improvements withstands all known attack tactics. Additionally, Blackbaud has stated that it is accelerating efforts to further improve its security by enhancing its system access management, network segmentation, and deployment of additional endpoint and network-based platforms.
What You Can Do
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities. Please review the sections below for further information on actions you can take to protect yourself.
For More Information
We sincerely apologize for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact me at (425) 488-4444 ext. 4005 or .
Sincerely,
Nanette McCann
Review Your Account Statements and Notify Law Enforcement of Suspicious Activity
As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements and credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You also should promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, including your state attorney general and the Federal Trade Commission (FTC).
To file a complaint with the FTC, go to IdentityTheft.gov or call 1-877-ID-THEFT (877-438-4338). Complaints filed with the FTC will be added to the FTC’s Identity Theft Data Clearinghouse, which is a database made available to law enforcement agencies.
Obtain and Monitor Your Credit Report
We recommend that you obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting www.annualcreditreport.com, calling toll-free 877-322-8228, or by completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348. You can access the request form here, or you can purchase a copy of your credit report by contacting one of the three national credit reporting agencies. Contact information for the three national credit reporting agencies for the purpose of requesting a copy of your credit report or for general inquiries is provided below:
Equifax
(800) 685-1111 P.O. Box 740241 Atlanta, GA 30374 |
Experian
(888) 397-3742 P.O. Box 4500 Allen, TX 75013 |
TransUnion
(888) 909-8872 2 Baldwin Place P.O. Box 1000 Chester, PA 19016 |
Consider Placing a Fraud Alert on Your Credit Report
You may want to consider placing a fraud alert on your credit report. An initial fraud alert is free and will stay on your credit file for at least 90 days. The alert informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name. To place a fraud alert on your credit report, contact any of the three credit reporting agencies identified above. Additional information is available at www.annualcreditreport.com.
Take Advantage of Additional Free Resources on Identity Theft
We recommend that you review the tips provided by the Federal Trade Commission on how to avoid identity theft. For more information, please visit IdentityTheft.gov or call 1-877-ID-THEFT (877-438-4338). Taking Charge: What to Do if Your Identity is Stolen, a comprehensive guide from the FTC to help you guard against and deal with identity theft, can be found on the FTC’s website.
Security Freeze
You have the right to put a security freeze on your credit file. A security freeze (also known as a credit freeze) makes it harder for someone to open a new account in your name. It is designed to prevent potential creditors from accessing your credit report without your consent. As a result, using a security freeze may interfere with or delay your ability to apply for a new credit card, wireless phone, or any service that requires a credit check.
Contact the three credit reporting agencies listed above (Equifax, Experian and TransUnion) to request a security freeze. The credit reporting agencies’ websites explain how to request a security freeze.You must separately place a security freeze on your credit file with each credit reporting agency.
To place a security freeze, you may be required to provide the consumer reporting agency with information that identifies you including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card, and a recent utility bill, bank statement, or insurance statement.