Notice of Data Breach
We were recently notified by Blackbaud, Inc. (a third-party service provider) of a security incident. Prior to locking the cybercriminal out, the cybercriminal removed a copy of our backup file containing your personal information such as name, address or birth date. UPMC Altoona Foundation does not store credit card information, bank account information or social security numbers within our records. This occurred at some point beginning on February 7, 2020 and could have been in there intermittently until May 20, 2020.
Blackbaud, Inc. assured UPMC that they paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, Blackbaud Inc.’s research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
Ensuring the safety of our constituents’ data is of the utmost importance to us. After consulting with Blackbaud, Inc., UPMC Privacy and Information Security Division, and UPMC legal, and many affected peer fundraising organizations, we’ve determined the best course of action is to notify you by posting this notice on our website for 90 days.
As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud, Inc. assures us that they implemented several changes that will protect the data from any subsequent incidents. First, the provider’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. They have confirmed through testing by multiple third parties, including the appropriate platform vendors, that the fix withstands all known attack tactics. Additionally, they are accelerating efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do
We do not believe there is a need for you to take any action. As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities. We will continue to monitor the situation and keep you informed of any changes. To learn more about the security incident with Blackbaud, please visit www.blackbaud.com