An important notice about your personal information
The Church Urban Fund was recently notified by one of our previous third-party service providers, Blackbaud, that they were the victim of a cybersecurity attack.
This occurred intermittently between the dates of February 2020 and May 2020. Blackbaud’s CRM Database, Raiser’s Edge, is used by many charities to manage charitable giving. Unfortunately, The Church Urban Fund is one of over 100 UK charities that were affected. As Blackbaud is so widely used, other organisations you support may have already been in touch with you about this breach. We have only just received full details from Blackbaud about the extent to which our data was involved, which is why we are releasing this statement to you now.
The Church Urban Fund ceased using the Raiser’s Edge Database in 2018, moving to a new database service provider – Salesforce. As a result, it’s very unlikely that our supporters have been seriously affected by this incident. You do not need to take any action but it is always a good idea to be vigilant around your finances and report any unrecognised activity to your financial provider.
Nonetheless, we take the protection and safe use of your information very seriously and so we wanted to inform you, explain the incident and what it means for you.
What actually happened?
When Blackbaud discovered the attack, they acted quickly in consultation with cyber forensic experts and law enforcement to expel the cybercriminals from their networks. However, before they were able to do so, the cybercriminals stole a backup file containing personal information of some individuals. Blackbaud’s top priority was protecting the information of those involved, so they paid the cybercriminals demand with confirmation the copy they had extracted was destroyed before it was shared with any other parties.
What personal information was involved?
We have been assured by Blackbaud that no credit card, bank account or other payment information was involved in this attack. However, they did access personal information such as names, contact information (addresses, email addresses, phone numbers), donation history (gift dates and amounts), and in some cases, date of birth and gender. Blackbaud have also provided assurance that no information went beyond the cybercriminal, was or will be misused, or otherwise made publicly available.
As this breach affected a database we ceased using in 2018, any information you have provided to us since that date has not been affected.
What risks are likely or possible?
Based on the information provided by Blackbaud and the advice of our legal team, we have no reason to believe that you or your personal information is at further risk. However, your commitment and support of the Church Urban Fund is so important to us, we wanted to inform you about this breach in case you wish to take measures to protect yourself. We believe that informing you with full detail is not only the right thing to do, but also honours the trust that you have placed in us.
While you do not have to take any action, we advise that you remain vigilant and report any suspicious communications or suspected identity theft to us or the police.
What steps are the Church Urban Fund taking to address this breach?
Like other charities involved in this incident, we have informed the Information Commissioner’s Office (ICO) and will be offering them all the information and support they need for their investigation as we continue to take the protection of your personal information very seriously.
We also launched an internal investigation to discover the extent of the breach specific to our data. An independent audit of our past Raiser’s Edge database was carried out so we could determine who was affected and take appropriate action. This process took some time to complete, which is why we are informing you now.
Like you, we are deeply troubled and concerned that this breach of your personal information occurred, especially as we had ceased working with Blackbaud prior to the breach. When the Church Urban Fund terminated our agreement with Blackbaud, we were given assurance that the backup of our database would be retained for a period of 6 months, in case of any issue in our migration, and then deleted. This was obviously not actioned by Blackbaud and we are seeking expert advice about any further actions that need to be taken.
Cybersecurity attacks are increasingly common. But they make everyone who has data stored online – and that is all of us in today's world – feel very vulnerable. We understand this completely. Our highest priority is protecting our donors as we work together to help communities across England flourish.
We deeply regret any inconvenience and worry this incident may cause you. Please be assured that we will continue to monitor this situation closely and will notify you of any further and relevant information as they come to light.
How to get in touch with us
Blackbaud is widely used by many organisations, you may have already been contacted about this breach.
Should you have any further questions or concerns regarding this matter, please do not hesitate to contact the Church Urban Fund’s Data Protection Officer at: hello@cuf.org.uk or Phone: 0203 752 5655.
Thank you so much for all you do for the Church Urban Fund. It is greatly appreciated and valued by all of us.