Data security incident - 7 February to 20 May 2020
We were recently notified of a data security incident relating to one of our third party service providers, Blackbaud - the computer software company that manages our supporter database.
More than 160 charities and universities have been affected by this data security incident.
Although we have been advised that risk to our supporters is very low, we wanted to make you aware of what happened and to reassure you of the steps that have been taken to safeguard all data.
Blackbaud has advised us that their cybersecurity team discovered and stopped a ransomware attack. However, prior to being locked out, the cybercriminal removed a copy of our back-up file containing some personal information.
Blackbaud has assured us that the cybercriminal did not access any credit card information, bank account details or social security numbers. However, the file may have contained contact information, addresses, and a history of your relationship with the Epilepsy Society.
Blackbaud paid the cybercriminal’s ransom demand to ensure that the file has now been destroyed. The company has assured us that it has implemented immediate changes to enhance and strengthen further, protection of all data. This includes identifying and fixing the vulnerability which allowed this incident to happen.
The incident happened between 7 February and 20 May 2020 and was reported to the Charity in July. We immediately reported the incident to the Information Commissioner’s Office (ICO) and the Charity Commission.
There is no need for you to take any action but we would ask you, as always, to remain vigilant and, as usual, to report any suspicious activity or suspected identity theft to us and the police.
The Epilepsy Society takes its data protection very seriously. Our Data Protection and IT Security Team is reviewing all third-party security measures to mitigate against any future incidents. We thank you for your understanding and if you have any queries or would like further information, please contact our Data Protection Officer email@example.com
Information on how you may use epilepsysociety.org.uk and other Epilepsy Society online services.