Notice of Data Incident
A NOTICE TO OUR LISTENERS, MEMBERS AND SUPPORTERS
NHPR was recently notified by one of its third-party service providers of a security incident. That service provider is Blackbaud, which provides services related to our donor database and constituent engagement. The security incident was far-reaching and involved a number of Blackbaud clients, including, universities, nonprofits, and other public media organizations.
Blackbaud informed us that they discovered and stopped a ransomware attack. According to Blackbaud, they successfully prevented the cybercriminal from blocking their system access and fully encrypting files. However, prior to locking the cybercriminal out, the cybercriminal removed a copy of NHPR’s backup file containing some individuals’ information. The incident occurred between February 7, 2020 and May 20, 2020. NHPR received notification of the incident on July 16th. Since that notification, NHPR has been working diligently with the Blackbaud team and our legal and security advisors to fully understand what the impact is in regards specifically to our system and the data of our supporters like you.
You can learn more about Blackbaud’s response here.
What Information Was Involved
As reported by Blackbaud, the cybercriminal did not access supporters’ credit card information or bank account information. However, we have learned that the file removed may have contained NHPR donors’ contact information, demographic information, and a history of their relationship with NHPR, such as donation dates and amounts.
Blackbaud informs us it has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
We are notifying our constituents because we realize your information is important to you. Informing you also allows you to remain vigilant. Ensuring the safety of our constituents’ data is of the utmost importance to us. Upon receiving the notice, we immediately implemented our response plan and are working with privacy legal counsel to learn the full scope of the incident. If we determine that personal information was acquired by the attackers, we will notify any individuals whose personal information was involved.
In addition, as part of its ongoing efforts to protect against incidents such as this, Blackbaud assures us that the company has already implemented several changes:
- First, Blackbaud tells us their teams were able to identify the vulnerability associated with this incident.
- Blackbaud has confirmed through testing by multiple third-parties, including the appropriate platform vendors, that their fix withstands all known attack tactics.
- Additionally, Blackbaud is accelerating its efforts to further harden its environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms.
What You Can Do
Again, we want to reiterate that Blackbaud has informed us that NO bank account or credit card information was accessed in this incident. But, as a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to law enforcement authorities.
For More Information
We value the trust and generosity of our donors and constituents. We sincerely regret any inconvenience or distress this may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please contact firstname.lastname@example.org.
We take seriously our responsibility to protect you and your information when you choose to engage with us or support our important mission. We thank you for that privilege, and for your understanding in this matter.