Aug. 21, 2020

Notice of Blackbaud data breach

Habitat for Humanity Canada (Habitat Canada) learned on July 23, 2020 that one of our third-party service providers, Blackbaud, has experienced a cyber incident that has impacted many of its clients around the world, including Habitat Canada. Unfortunately, some personal information of some stakeholders may have been affected by this incident.

While the incident did not occur at Habitat Canada, we take the protection and proper use of personal information very seriously, no matter where it resides. In the interest of full transparency, we are posting this notice about this incident although Blackbaud has successfully mitigated the issue. Below, we are sharing relevant information and the steps we are taking.

What happened?

Habitat Canada was informed of a cyber incident at Blackbaud on July 23, 2020 by Habitat for Humanity International (Habitat International) and confirmed it with Blackbaud on the same day. Blackbaud is a third-party service provider that provides Habitat Canada various services, including managing some data of certain stakeholders. As a data management vendor, Blackbaud was responsible for all data security. Blackbaud discovered the incident in May 2020 and has published information about the incident here: www.blackbaud.com/securityincident.

Blackbaud advised that it was a victim of a sophisticated ransomware attack. After discovering the attack, Blackbaud’s cybersecurity team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking its system access and ultimately expelled them from the system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of a backup file from the Blackbaud system, which contained some personal information of some stakeholders. This occurred between February 7, 2020 and May 20, 2020.

Since being informed of the incident, Habitat Canada has been working to gather information about the scope and severity of the incident, to evaluate the impact of the incident, and to ensure that our systems are adequately protected going forward. Habitat Canada has also sent emails to certain stakeholders about specific personal information that may have been impacted.

What information was impacted?

The personal information potentially affected varies by stakeholder. No sensitive financial information (such as credit card numbers or banking information) related to any stakeholders was impacted. In our emails to certain stakeholders, we have advised of specific personal information that may have been impacted.

Blackbaud has advised that it has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. This is based on the nature of the incident, Blackbaud’s third-party investigation (which included law enforcement), Blackbaud’s payment to the cybercriminal after receiving credible confirmation that the copy of the backup file had been destroyed, and Blackbaud’s hiring of outside experts to monitor the web who have found no evidence that any information has been released.

What are we doing?

As stated above, Habitat Canada has sent emails to certain stakeholders by email about specific personal information that may have been impacted.

Habitat Canada is also working with Habitat International, which is working in coalition with other non-profit organizations affected by the incident to ensure that Blackbaud is held accountable for the consequences of the incident, takes appropriate actions to try and prevent future incidents, and informs all affected organizations.

Blackbaud quickly identified the vulnerability associated with this incident and took swift action to fix it. Blackbaud has confirmed through testing by multiple third parties, including the appropriate platform vendors, that its fix withstands all known attack tactics. Additionally, Blackbaud is accelerating its efforts to further harden its environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms. As noted above, Blackbaud has engaged with law enforcement as part of its investigation into this incident.

What can you do?

As always, you should remain vigilant with respect to unsolicited emails. Remember, Habitat Canada will never contact you requesting any password information or login credentials. If you ever notice suspicious activity, you should of course report it to the appropriate authorities and organizations.

If you ever have any concerns about the validity of any contact you receive from Habitat Canada, you may find our contact information independently through our website at habitat.ca and contact us to confirm.

Habitat Canada’s commitment to protecting your data

Habitat Canada is deeply concerned with protecting the data of our stakeholders. Habitat Canada’s Privacy Policy details how we collect and use data, which is in full compliance with all applicable laws and best practices in the non-profit sector.

If you have any additional concerns or questions about this incident or about how Habitat Canada manages data, please contact Lalit Varma, Chief Privacy Compliance Officer at privacy@habitat.ca, or by mail to Habitat for Humanity Canada (Privacy Office), 477 Mount Pleasant Road, Suite 403, Toronto, Ontario M4S 2L9 with ‘Attention: Chief Privacy Compliance Officer’.