Compassion Ireland Blackbaud Response
Updated 30 July 2020
The information below relates to a data security incident with a third-party service provider of Compassion Ireland. At Compassion Ireland we take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are below, including the steps we have taken in response.
On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of supporter database management systems for not-for-profit organisations and the higher education sector. They informed us they had been the victim of a cyber attack in May 2020.
After discovering the attack, Blackbaud’s cyber security team - together with independent forensics experts - removed the hacker from their systems. However, before that was possible, the hacker was able to remove a copy of a subset of data from a number of their clients. We are told this included Compassion Ireland data.
The data accessed by the hacker may have contained some of the following information:
- Basic identifiers: name, title, year of birth, gender, Compassion reference number and Personal Public Service Number (PPSN) where provided for tax relief purposes;
- Contact details: Address, phone and email;
- Donation history and CDS status;
- Any research or donation notes appended to a supporter record.
Blackbaud have assured us that the investigation found no encrypted information, such as bank account details or passwords, was accessible and payment card information did not form part of the data breach. Also, correspondence between supporters and children was not impacted.
What are we doing about the situation?
Blackbaud has advised us that it believes the data taken is no longer accessible by the hacker. We are in the process of seeking further assurances on this point from Blackbaud.
We have immediately launched our own investigation and have taken the following steps:
- We promptly informed the Data Protection Commission and the Charities Regulator of the breach.
- In addition to speaking to Blackbaud directly to find out what happened and ask our own questions, Compassion Ireland engaged an independent cyber security company and also a specialist legal firm. Together we are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what further actions they have taken to increase their security.
- We have now begun the process of emailing our supporters. The advice given to us by Blackbaud is that the risk to supporters is low, but out of an abundance of caution we felt it important that we notified them promptly about this incident.
There is no need for our supporters to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.