Canada’s Heart And Stroke Foundation Exposed To A Cyberattack

I get a lot of my story ideas from people who read my blog, and my wife. It’s the latter that I have to thank for the news that Canadian charity Heart And Stoke Foundation have been exposed to a cyberattack via a third party. She was informed of this via an email which I have reprinted below:

Dear valued supporter, 

I am writing to inform you that Heart & Stroke has learned of a data security incident involving one of our third-party service providers that may involve your personal information. We are committed to the protection and privacy of your data and are contacting you to explain what has transpired so you can take extra precautions. 

What happened 

Heart & Stroke manages personal information related to our stakeholders for the purpose of volunteer and donor relations, communications and for historical record keeping through Blackbaud, one of the world’s largest software providers for non-profit organizations. 

On Thursday, July 16, we were notified by Blackbaud that it had discovered and stopped a ransomware attack in May. This attack impacted many of Blackbaud’s clients around the world, including Heart & Stroke. While Blackbaud has informed us that Heart & Stroke was not specifically targeted, we want to provide you with the same information that Blackbaud has provided us. 

How you may be affected 

Data from the Heart & Stroke community that may have been affected includes contact information, such as names, email addresses, telephone numbers and addresses. Blackbaud has assured us that data such as credit card numbers, usernames, and passwords were not compromised as these were encrypted. The cyber criminal’s ransom was paid and relevant data was destroyed, according to the update provided by Blackbaud. 

Blackbaud has informed us that there is no reason to conclude that the data related to the Heart & Stroke community will be misused, but we recommend that you exercise additional prudence. As the information affected is mainly contact information, the greatest risk would be from someone impersonating Heart & Stroke to solicit funds. Please let us know if you receive suspicious emails or other communications that claim to be from us. 

Blackbaud has carried out an internal investigation with the assistance of outside cybersecurity experts and law enforcement and is confident that the data was removed and has not been further used or disclosed. As an added precaution, their investigators are continuing to monitor for any usage of the data that was taken. 

Heart & Stroke’s action 

In addition to notifying you of this incident, we have reported the incident to relevant privacy commissioners and are seeking their advice on any additional safety protocols that we should consider. We are working with Blackbaud to enable multi-factor authentication to protect our records management system. Our call centre team has been updated on this matter and is available to answer your questions. 

If you unsubscribed 

We want to acknowledge that some recipients of this email may have previously unsubscribed from Heart & Stroke updates. We want to assure you that we have not re-added you to our mailing list, but felt it important to provide you with this update concerning your information that may have been affected. 

We value the trust and support of our constituents and regret the concern that this may have caused. If you have questions concerning this incident, please contact us at 1‑877‑882‑2582 or via email at donorinfo@heartandstroke.ca. 

Sincerely, 
Heart & Stroke
Doug Roth
Chief Executive Officer
Heart & Stroke Foundation

I have never heard of Blackbaud before this incident. So it was over to Wikipedia for some info on them:

Blackbaud is a cloud computing provider that serves the social good community — nonprofits, foundations, corporations, education institutions, healthcare organizations, religious organizations, and individual change agents.

I had a look around their website and found this release on the incident. It meshes what The Heart And Stroke Foundation said. But it does have a bit of spin on it to make it sound like they stopped the attack. The fact is that if you pay the ransom, you didn’t stop anything.

I am concerned that the ransom was paid and they hope that the data was destroyed. I say that because paying the ransom only emboldens these scumbags, and you have to trust that said scumbags actually destroyed the data. If you get one of these emails, you should take it as a sign that you should keep an eye out for phishing email

Hopefully the Heart And Stroke Foundation re-evaluates its relationship with Blackbaud on a go forward basis. I get that many companies rely on third parties to run their operations. But they are only as safe as the third parties that they use. And this incident is an example of this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: