CHARLOTTE — The Diocese of Charlotte announced this week that personal information about some of its constituents was exposed in a data breach experienced by third-party vendor Blackbaud Inc., in May.
Blackbaud is an international provider of fundraising and financial software for education, charitable and nonprofit organizations – many of which were affected by the company’s data breach.
Blackbaud hosts a variety of databases for the diocese and several were exposed in the incident.
The diocese announced in August that limited personal information of donors had been exposed in Blackbaud’s data security incident. Details are outlined in an Aug. 28 letter posted on the diocesan website: www.charlottediocese.org. After further investigation, Blackbaud recently informed the diocese that information associated with additional constituents of the diocese was also affected, including that of some employees, vendors, parents and students, school alumni and supporters.
In most cases, the data exposed did not involve sensitive personal information, the diocese said, citing information from Blackbaud. However, information involving current and former employees and vendors contained in a database the diocese stopped using by 2005 did include sensitive details such as Social Security Numbers, Tax Identification Numbers or bank account information. The individuals affected have been contacted directly by the diocese with information about the breach as well as credit monitoring and fraud assistance services being offered to them by Blackbaud.
The diocese said it has no reason to believe the exposed information was misused or made available publicly, but encouraged constituents to remain vigilant and report any suspicious activity to law enforcement.
“We are continuing to scrutinize what happened and what steps Blackbaud has taken to guard against such a breach in the future,” said Monsignor Patrick Winslow, the diocese’s vicar general and chancellor. “While we recognize that such incidents are becoming a hallmark of the digital world in which we live, we have to be vigilant to stay a step ahead in cybersecurity.”
Blackbaud’s breach made headlines across the country and beyond in July and August when the company initially disclosed it had been the victim of a ransomware attack. The company said the attack went on for weeks before Blackbaud detected and stopped it in May.
Before the attacker was locked out of Blackbaud’s computer systems, the individual(s) removed a copy of backup files involving thousands of clients. Working with federal law enforcement, Blackbaud said it agreed to pay the ransom “with confirmation that the data was destroyed.”
Initially, Blackbaud assured clients that sensitive personal information had not been exposed because it had been encrypted. But after further investigation, Blackbaud disclosed in late September that some sensitive personal and financial information left behind in “legacy” files had not been encrypted. In October, Blackbaud provided details about which of the diocese’s constituents had been affected.
The diocese has notified those affected through letters, email or school newsletters, as well as through its website.
In addition to the information previously described, other information exposed included:
- Information in a 2019 database of families enrolled in Mecklenburg Area Catholic Schools. The information dated back to 2008 and included parents’ names, addresses, contact information and in some cases students’ names and birth dates, and tuition information.
- Information in a 2016 database of alumni and donors to Charlotte Catholic High School. Dating back to 2002, the information included names, addresses, contact information, graduation dates and donor history.
For more information about the breach, please see Blackbaud’s explanation online. If you have additional questions, please call 704-370-3409. Read the Nov. 19, 2020 letter on the diocean website.
— Catholic News Herald