Notice of security incident
To provide full transparency for supporters of CommonBond Communities, we want to share that a third-party vendor we contract with experienced a security breach. Blackbaud, which hosts our database containing CommonBond supporters (and is the largest cloud software company in the world serving nonprofits), had a ransomware attack on its cloud-based servers. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attempted attack, Blackbaud’s security team stopped and expelled them from their system.
This incident did not result in access to any of our supporters' credit card information, bank account information, or social security numbers, if it was on file. Additionally, Blackbaud has shared that they have no reason to believe that any data went beyond the cybercriminal, or that it was or will be misused, or will be disseminated or otherwise made available publicly.
However, a subset of CommonBond’s supporter data was part of this incident. While different organizations’ data was exposed in different ways, the following personal information was accessed for some CommonBond supporters:
- Database ID# (a randomly assigned unique number to each database record)
- Estimated assets (a standardized Blackbaud-assigned estimate that is based on publicly available data like property values)
- Ask amount (a Blackbaud-created algorithm that assigns a recommended ask amount when requesting a donation)
Again, no credit card, bank account, or social security numbers were accessed. Additionally, no contact information (i.e., phone numbers, emails, or addresses) was accessed. Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. You can read more about Blackbaud’s response on their webpage: blackbaud.com/securityincident.
CommonBond remains deeply committed to the safety and security of personal data for its supporters. In the interest of full transparency, we wanted to make sure our supporters were aware of this incident through a variety of channels. If you have questions or concerns, please contact Derek Madsen, Executive Vice President of Resource Development, at Derek.Madsen@commonbond.org.