Protecting you and your data – our response

Back July 29th, 2020

We’ve been informed by a US-based third-party provider we use to store some of our data, called Blackbaud, that they recently experienced a data security incident, and we understand this has affected a number of charities, foundations, not-for-profits and education establishments worldwide.

Upon being made aware of this, we immediately launched our own investigation, which has included informing appropriate authorities here in the UK including the Information Commissioner’s Office.

Although we have been assured by Blackbaud there is a low risk to the Anxiety UK community, we are currently in the process of contacting all members of Anxiety UK that may have been affected. 

We would like to reassure anyone who is not a member of Anxiety UK or who may have only contacted us for support via the helpline, email support service, live chat service and text support services, that this does not affect them in any way. Additionally, anyone who has purchased products from our online shop, other than membership, will not have been affected.

At Anxiety UK, we take our data protection responsibilities incredibly seriously and we are providing the following information and FAQs to help reassure those affected of what has happened and the steps we are taking in response to being made aware of this incident.

We hope the following FAQs help resolve any initial queries, but we have also set up a dedicated email if there’s any additional questions people may have – privacy@anxietyuk.org.uk.

  1. What has happened?

On 16 July 2020, we were informed by a US-based third-party provider we use to store some of our membership data, called Blackbaud, that they had been subject to a ransomware attack several weeks ago.

It related to a cloud-based customer contact system they provide to many hundreds of charitable and educational organisations around the world, including us here at Anxiety UK.

At this time, we understand Blackbaud discovered and stopped the cybercriminals’ attack on their IT systems, however, we do believe that a subset of data was removed during the initial breach, and this included a copy of our backup file containing some personal information for some of the people we support and work with.

Please rest assured, this does not contain any financial data such as payment card information or bank details, however, we have determined the file removed may have contained some personal contact information and history of some members’ engagement with us.

Based on the nature of the incident, our research and the extensive investigations that have taken place (including law enforcement), we have no reason to believe any data that was taken by the cybercriminal was or will be misused or will be disseminated or otherwise made available publicly. However, we do think it’s important to let our community know about this incident.

We have had reassurances from Blackbaud that the data has been destroyed and they have already implemented a significant number of changes to prevent this specific issue from happening again.

  1. Who are Blackbaud?

Blackbaud is one of the world’s largest providers of customer relationship management systems for hundreds of charities, not-for-profit organisations and the higher education sector in both the US and UK.

  1. When did it happen? Why are Anxiety UK only announcing this now?

We understand the initial data breach happened in May 2020, however, we were only notified by Blackbaud on July 16th  2020 and we immediately launched our own extensive investigation, which has included informing appropriate authorities here in the UK including the Information Commissioner’s Office and Charity Commission at the earliest opportunity.

  1. What data is compromised exactly, and how many people/members does this affect?

This incident related to a cloud-based customer contact system Blackbaud provide to many hundreds of charitable and educational organisations around the world, including us here at Anxiety UK. At present, they are not giving us specific details on the exact level of the data accessed for all these organisations.

Currently, we understand Blackbaud discovered and stopped the cybercriminals’ attack on their IT systems. However, we have been advised that a subset of data was removed during the initial breach, and this included a copy of our backup file containing some personal information for some of the people we support and work with.

Please rest assured, this does not contain any financial data such as payment card information or bank details. Blackbaud has confirmed that the investigation found no encrypted information, such as bank account details, credit card information or passwords, was accessible.

However, we have determined the file removed may have contained some personal contact information (basic details e.g. name, title, gender, date of birth etc) and history of some members’ engagement with us, including membership details, any donations made, and details of therapy outcomes for those that have accessed this service.

We would like to reassure our community that a detailed forensic investigation was undertaken on behalf of Blackbaud by law enforcement and third-party cyber security experts in the US, and we’re continuing to work with them to understand more.

It is important to reiterate that although we have been assured by Blackbaud there is a low risk to the Anxiety UK community, we are currently in the process of contacting all members of Anxiety UK that may have been affected.

We would also like to reassure anyone who is not a member of Anxiety UK or who may have only contacted us for support via the helpline, email support service, live chat service and text support services, that this does not affect them in any way. Additionally, anyone who has purchased products from our online shop, other than membership, will not have been affected.

  1. What are you doing in response to this?

Blackbaud has informed us that, in order to preserve and protect customer data, they met the cybercriminal’s ransomware demand and they have had reassurances that this data has been destroyed.

Based on the nature of the incident, our research and the extensive investigations that have taken place (including law enforcement), we have no reason to believe any data that was taken by the cybercriminal was or will be misused or will be disseminated or otherwise made available publicly.

We have also had reassurances that Blackbaud are implementing changes to prevent this specific issue from happening again, and we are continuing to work with them to understand why there was a delay notifying us, as well as how their preventative steps will ensure their data protection is as robust as it can possibly be.

We do think it’s important to let our community know about this data security incident and we are writing to all affected to let them know what steps we are taking and what preventative measures they can put in place.

We have also launched our own investigation, which has included informing appropriate authorities here in the UK including the Information Commissioner’s Office and Charity Commission.

At Anxiety UK, we take our data protection responsibilities incredibly seriously and, as well as writing to all affected, we have also set up a dedicated email if there’s any additional questions people may have – privacy@anxietyuk.org.uk.

  1. What should those affected do if their personal data has been compromised?

As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has already implemented several changes that will protect the data from any subsequent incidents.

However, ensuring the safety of the personal data we hold remains of the utmost importance to us and, although this matter has been largely out of our hands and our security and systems remain as robust as any charity could have, we’re keen to offer support and advice to our members about things they can do to protect themselves.

We would urge our community to continue to be wary of unexpected communication, to remain vigilant and to practise the usual caution around suspicious emails and letters.

If anyone feels they may have been a victim of fraud, they should report it to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. Its website is www.actionfraud.police.uk, and its telephone number is 0300 123 2040.

People can also find additional advice online about cyber fraud from Cifas, the UK’s fraud prevention organisation; their website is www.cifas.org.uk.

Should anyone have any further questions or concerns regarding this, then they can contact us by email via privacy@anxietyuk.org.uk.

We regret any inconvenience this may cause any of those affected and are grateful for our community’s continued support.