Cyber Security Incident

24/07/2020

cyber attack

Cyber security incident

The Urology Foundation, along with several other charities, uses a company called Blackbaud to host our supporter database.

We were notified late on Thursday 16th July about a criminal attack on Blackbaud’s servers in May. This has meant that some our supporters’ details have been accessed, including some personal information like their names, addresses and email addresses. No financial or banking details were included in the database.

As a matter of urgency we have sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. They have also reassured us that new safeguards have been put in place to prevent this happening again. We have decided to report this incident to the ICO to ensure that they are fully aware.

We have been assured by Blackbaud that there is a low risk to TUF supporters, but all the same we would urge all of our supporters to continue to be wary of unexpected communication and practise the usual caution around suspicious emails and letters.

If anyone is concerned or has further questions please contact our data protection lead at: ldewinter@tuf.org.uk

Blackbaud has set out further details about the incident here.

We take data security seriously. Our privacy notice details how we use your data, how we keep it safe and how to opt out of data processing activities. View our privacy policy here: https://www.theurologyfoundation.org/privacy-policy

What happened?

We were notified late on Thursday 16th July about a criminal attack on Blackbaud’s servers in May. Blackbaud are the company that host our supporter database, and the database of a large number of other organisations. This has therefore meant that some details of our supporters have been accessed, including some personal information like their names, addresses and email addresses.

What have Blackbaud done to rectify the situation?

As a matter of urgency we have sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. We are aware that they have paid a ransom to the cybercriminals for assurances that the stolen information has been destroyed. They have worked with law enforcement and a third-party company and have found no evidence that any of the information taken has been used, and continue to monitor for this.

They have informed us that new safeguards have been put in place to prevent this happening again.

What information was accessed?

The database that was affected includes supporters’ contact details (which may include phone number, email address and/or postal address) and, potentially, some details of the nature of their activity with us, including if they have donated to a fundraiser or attended an event. No financial or banking details are included in the database.

What has The Urology Foundation done since learning about the breach?

TUF has reported the breach to the Information Commissioners Office. We also made a statement about the breach on our website. We continue to seek clarity from Blackbaud about how the breach occurred and confirmation of which data may have been accessed, and will notify individuals if it appears that sensitive data has been accessed.

How confident are you that the private data has been destroyed?

Blackbaud have assured us that to the best of their knowledge the data has been destroyed, and their ongoing monitoring has shown no sign of any of the information being used fraudulently. We continue to monitor the situation and seek independent advice.

What steps can our supporters take to protect themselves?

We would recommend to all supporters to continue to take the usual steps maintaining caution. More information about protecting against fraud can be found here: https://www.met.police.uk/advice/advice-and-information/fa/fraud/personal-fraud/prevent-personal-fraud/#:~:text=Don’t%20hand%20over%20money,don’t%20know%20or%20trust.

Was any financial information about supporters taken?

No.