Cyber security incident

We were notified late on Thursday 16th July about a criminal attack on Blackbaud’s servers in May. Blackbaud are the company that host our supporter database, and the database of a large number of other organisations. This has therefore meant that some details of our supporters have been accessed, including some personal information like their names, addresses and email addresses.

As a matter of urgency we have sought confirmation about the steps Blackbaud have taken to manage the situation. They have informed us that, to the best of their knowledge, all of the details that were accessed have now been destroyed. We are aware that they have paid a ransom to the cybercriminals for assurances that the stolen information has been destroyed. They have worked with law enforcement and a third-party company and have found no evidence that any of the information taken has been used, and continue to monitor for this.

They have informed us that new safeguards have been put in place to prevent this happening again.

The database that was affected includes supporters’ contact details (which may include phone number, email address and/or postal address) and some details of the nature of their activity with us, including if they have donated money, purchased a publication or signed a petition.

At the earliest opportunity, YoungMinds took action to report the breach to the Information Commissioners Office and took advice from a company specialising in data management and data breaches. Additionally, we submitted a Serious Incident Report to the Charity Commission. We also made a statement about the breach on our website. We continue to seek clarity from Blackbaud about how the breach occurred and confirmation of which data may have been accessed, and will notify individuals if it appears that sensitive data has been accessed. We have also consulted with our IT service provider to ensure that our internal systems are secure.

Blackbaud have assured us that to the best of their knowledge the data has been destroyed, and their ongoing monitoring has shown no sign of any of the information being used fraudulently. We continue to monitor the situation and seek independent advice.

We would recommend to all supporters to continue to take the usual steps maintaining caution. More information about protecting against fraud can be found here by the Met police.

No. Any potentially sensitive data about young people is kept securely on a different database. Therefore this information was not accessed.

This database was not used to process financial information or store banking or credit card details about supporters. These details are stored securely on a separate database that was not affected by the breach. As part of our ongoing investigation into this incident, we’ve discovered a very small number of financial documents held on the database hosted by Blackbaud, which have now been removed. Having consulted with both the ICO and our Legal Advisors, we remain confident that the risk to our supporters remains extremely low.

No. Blackbaud have also contacted us to confirm that we were not part of the subset that was referred to.