Home News

Compassion UK Blackbaud Response

Compassion UK Blackbaud Response

The information below relates to a data security incident experienced by a third-party service provider of Compassion UK. At Compassion UK we take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are below, including the steps we have taken in response.

What happened? 

On 16 July 2020 we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of supporter database management systems to charities and the higher education sector. They informed us they had been the victim of a cyberattack in May 2020.

After discovering the attack, Blackbaud’s cyber-security team – together with independent forensics experts – expelled the hacker from their systems. However, before that was possible, the hacker was able to remove a copy of a subset of data from their clients. We are told this included Compassion UK data, as well as data from many other charities and universities around the world. 

We first learnt of this data breach on 16 July, and notified our supporters of the incident via email shortly afterwards. 

We use Blackbaud’s systems primarily to record and process supporter donations and manage Gift Aid. In July, we were assured by Blackbaud that all financial data was encrypted and not accessible to the hacker. Blackbaud have since informed us that this was incorrect and on 1 October 2020 we learnt it was possible that bank account details relating to Compassion UK supporters might have been accessible to the hacker in an unencrypted format, in certain circumstances. 

What data may have been affected? 

The data accessed by the hacker may have contained some of the following information: 

  • Basic details: Name, title, gender and Compassion reference number; and 
  • Contact details: Address, phone and email; 
  • Sort Code and Account Number used for donations; 
  • Donation history and Gift Aid status; 
  • Any research or donation notes appended to a supporter record. 

 Our investigations have enabled us to confirm that the following data was not compromised in the data breach: 

  •  Supporter Debit or credit card information.  
  • Date of Birth or Year of Birth. 
  • myCompassion usernames and passwords.  
  • Correspondence between supporters and children. 

 What are we doing about the situation? 

 Blackbaud has advised us that it believes the data taken is no longer accessible by the hacker. We are in the process of seeking further assurances on this point from Blackbaud. 

We have launched our own investigation and have taken the following steps: 

We immediately informed the Information Commissioner’s Office (ICO) and the Charity Commission of the breach. 

  • In addition to speaking to Blackbaud directly to find out what happened and ask our own questions, Compassion UK engaged an independent cyber security company and also a specialist legal firm. Together we are working with Blackbaud to understand what further actions they have taken to increase their security. 
  • We have informed our supporters by email and post recommending them to exercise increased vigilance in all matters relating to their personal details. In particular, it is good practice to: 
  • Check online accounts regularly, and contact the account provider if you recognise any unusual activity; 
  • Check that all your Direct Debits are up to date and delete any that are no longer needed. 
  • Be suspicious if anyone contacts you by email, phone call or text message asking you to confirm personal or financial details; and 
  • Be especially on guard for scam phone calls or emails that may look official, asking you to click links or open attachments that could put you at risk (also known as ‘phishing’). 

If you are a Compassion supporter, and you have further questions, please don’t hesitate to contact our Supporter Experience team who can be reached on 01932 836490, 09:30-16:30.  You can also email any questions or concerns to security@compassionuk.org.  

We are also able to offer a year of free credit and identity monitoring to supporters living in the UK who have been impacted by this incident, so please do get in touch for further details. 

Be inspired

Get a little compassion delivered straight to your inbox with our fortnightly.
Jana Bond

Words by Jana Bond

SHARE:

Twitter Facebook

More stories for you

“A Love Worth Sharing” Advent Podcast Series

Give yourself a moment at the start of each week in Advent to pause in wonder at God’s love, show...

28 November, 2024

email_signup_encourager 1 mins

Gifts of Compassion

Blessing a friend or family member with a charity gift is a wonderful way to give them a present ...

3 September, 2024

email_signup_encourager 1 mins

An Update on Haiti

We invite your prayers as violence has once again escalated in Haiti.

10 March, 2024

email_signup_encourager 4 mins
Homepage Banner

Join thousands of people praying to end poverty, take action through our appeals and activities, and be inspired by how God is changing lives.

Get a little Compassion in your inbox with our Prayer and Stories email.

Remember, you can unsubscribe at any time. Please see our Privacy Policy for more information.

Compassion UK Christian Child Development, registered charity in England and Wales (1077216) and Scotland (SC045059). A company limited by guarantee, Registered in England and Wales company number 03719092. Registered address: Compassion House, Barley Way, Fleet, Hampshire, GU51 2UT.