PCHAS Statement on Blackbaud Data Security Incident

View the PDF version of this statement.

Blackbaud, Inc., one of Presbyterian Children’s Homes and Services third-party service providers, and one of the world’s largest providers of customer relationship management software, notified us on July 16, 2020 that their system has been the target of a ransomware attack.  

Blackbaud reported that the data security incident started in February 2020 and possibly continued intermittently until May 2020. PCHAS was one of numerous organizations that was impacted. It is important to note that Blackbaud assured us that no encrypted data such as Social Security numbers, bank account information, and credit/debit card information was accessed or stolen. We are conducting an internal investigation to confirm this assurance and we are working with Blackbaud and our own legal advisors to monitor this situation. If any such data is found to have been viewable, we will notify the impacted individuals directly.  

According to Blackbaud, the cyber-attack was successfully stopped and the cybercriminals were expelled from its system. However, Blackbaud believes that the cybercriminals were able to remove a copy of a backup file that Blackbaud stored as part of its ordinary course of operations. We have been informed this file contained limited non-financial information, such as names, addresses, phone numbers, date of birth and giving history.  

Blackbaud assured us that based on the nature of the incident, their thorough investigation, and their cooperation with law enforcement, the contact data that was potentially accessed has been destroyed and there is no reason at this time to believe any data was accessed by any other parties, or will be misused, or will be disseminated or otherwise made available publicly. In exchange for a ransomware payment made by Blackbaud to the cybercriminals, Blackbaud assures us that the data was deleted and the risk to individuals is very low.  

We do not believe there is a need for you to take any action at this time, but we wanted you to be aware of this development that affects hundreds of organizations. As a best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.  

We value your relationship with Presbyterian Children’s Homes and Services and the faith you put in us. Please know that we take the security of your information very seriously and share your concern about this incident. Blackbaud has already implemented changes to its security controls to better protect against a potential future attack, and we are working with Blackbaud to assess the best path forward.  

While PCHAS was not the specific target of this attack, nor was it the only organization affected, we are always concerned about the sensitive information we hold and treat the security and privacy of your information with the utmost care. Thank you for your continued support of PCHAS’ Christ-centered programs and services to children and families in need. If you have questions regarding PCHAS’ data related to this incident, please contact me at the information provided below.  

For the children, 

Rev. Peter D. Crouch, CFRE 

Senior Vice President of Development 

peter.crouch@pchas.org | 512-433-9157 | July 31, 2020