Archdiocese details data security breach
Blackbaud Inc. said the incident was a `ransomware attack'
The Arch diocese of Oklahoma City and several other Catholic agencies are among organizations that may have been affected by a recent Blackbaud database security breach.
Blackbaud Inc. is based in Charleston, S. C. In a story about the recent security incident, The NonProfit Times, a business publication for nonprofit management, described the company as one of the world's largest providers of financial and fundraising technology to nonprofits.
Diane Clay, the archdiocese' s communications director, said the Blackbaud data breach affected organizations around the globe. She said the archdiocese sought to alert people that it was monitoring the situation as it related to the archdiocese.
“Along with hundreds of other foundations, universities and nonprofits around the world, the Archdiocese of Oklahoma City maybe impacted by the data breach at Blackbaud. We have not had reports of issues related to the breach, but out of caution, we are notifying everyone in our database so they can be diligent in monitoring their information," Clay said in a statement.
Peter de Keratry, the archdiocese's executive director of stewardship and development, recently emailed individuals and families in t he archdiocese's database to notify them of what he called a "third-party security breach that affected charitable institutions around the world."
In his letter titled "Database Incident ," de K era try said the notification was being sent on behalf of the archdiocese, Catholic Charities of Oklahoma City, Oklahoma Catholic Radio, the Catholic Foundation of Oklahoma and Bishop McGuinness Catholic High School. In noting the nature of the incident, he said the breach also affected organizations like the Vatican Observatory.
"It is important to note that the cy ber criminal did not access your credit card information, bank account information or Social Security number. However, Blackbaud has determined that the files removed may have contained information regarding your name, giving history, address, phone number and email address," de Keratry wrote. "Based on the nature of the incident, their research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly."
'Ransomware attack'
Black baud reported the incident in a posting on its website, describing the breach as a" ransom ware attack" in which" cy ber criminals attempt to disrupt the business by locking companies out of their own data and servers."
The company said its cybersecurity team, working with independent forensics experts and law enforcement, successfully prevented cyberthieves from blocking their system access and fully encrypting files. Blackbaud said the cybercriminals were ultimately expelled from their system, but not before t he organization paid a ransom.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our selfhosted environment. The cybercriminal did not access credit card information, bank account information, or Social Security numbers. Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed," Blackbaud said.
Archdiocese recommends vigilance
Meanwhile, in his letter, the archdiocese's de Keratry recommended those receiving his correspondence remain vigilant and report any suspicious activity or suspected identity theft to law enforcement and the archdiocese.
"We are notifying you so you can take action to protect yourself. Ensuring the safety of our constituents' data i s of the utmost importance to us. As part of their ongoing efforts to help prevent this from happening in the future, Blackbaud has already implemented several changes that will protect your data from any subsequent i ncidents," he wrote.
"Your continued support for Catholic ministries in the Archdiocese of Oklahoma City i s greatly appreciated. We sincerely apologize for this incident and regret any inconvenience it may cause you."