Skip to main content
Make a Donation
Blackbaud Security Incident
Make a Donation

Friday, July 31, 2020

The information below relates to a data security incident involving Blackbaud, Inc., a service provider of the National Academies of Sciences, Engineering, and Medicine. Our organization takes our data protection responsibilities very seriously. Further details are below, including the steps we have taken in response.

The Incident

On July 16, 2020, we were contacted by Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organizations and the higher education sector. Company representatives informed us that a Blackbaud service provider had been the victim of a ransomware attack that culminated in May 2020. The cybercriminal was unsuccessful in blocking access to the database involved in the attack. However, the cybercriminal was able to remove a copy of a subset of several of their client’s data. This included a subset of National Academies data used for donor prospect research.

What information was involved?

We would like to reassure our members and friends that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cybersecurity experts. 

Blackbaud has confirmed that the investigation found that no encrypted information, such as Social Security numbers and bank account information or passwords, was accessible. Blackbaud also confirmed that no credit or debit card information was part of the data theft.

The National Academies data accessed by the cybercriminal in the Blackbaud database may have contained some of the following information:

  • Name, title, date of birth, spouse

  • Addresses and contact details such as phone numbers, and e-mail addresses

  • Philanthropic interests, giving capacity, and summary giving history to the National Academies

  • Educational attainment

What actions were taken by Blackbaud?

We have been informed by Blackbaud that in order to protect our members and friend’s data and mitigate potential identity theft, it met the cybercriminal’s ransomware demand. Blackbaud has advised us that it has received assurances from the cybercriminal and third-party experts that the data was destroyed. Blackbaud has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused.

Steps we have taken in response

We have taken the following steps in response:

  • We are notifying affected members and friends to make them aware of this breach of Blackbaud’s systems so they can remain vigilant;

  • We are working with Blackbaud to understand why there was a delay between it finding the breach and notifying us, as well as what actions Blackbaud is taking to increase its security.

We do not believe there is a need for our members and friends to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.

For questions related to the security incident, contact Alison Purvis, National Academies of Sciences, Engineering, and Medicine Chief Development Officer at apurvis@nas.edu.

We will continue to work with Blackbaud to investigate this incident. We very much regret the inconvenience that this data breach may have caused. Please be assured that we take data protection very seriously and are grateful for the continued support of our members and friends.

Subscribe to Email from the National Academies
Keep up with all of the activities, publications, and events by subscribing to free updates by email.