IHS reports data breach of software provider

"The cybercriminal did not access any credit card information, bank account information, or social security numbers."


The Institute for Human Services (IHS) this weekend sent its donors a notice of “a data security incident that may have involved your personal information.”

IHS is among of hundreds of organizations affected by a recent ransomware attack on Blackbaud, which specializes in providing online applications to support social good organizations.

Headquartered in Charleston, South Carolina but with offices and customers in the U.S., Australia, Canada, and the United Kingdom, Blackbaud’s security team responded to the attack in May, but acknowledged that “the cybercriminal removed a copy of a subset of data from our self-hosted environment.”

“IHS uses Blackbaud to track donations, volunteer hours, event participation, and other engagements with our development office,” explained Jill Wright, director of IHS Philanthropy and Community Relations. “NO credit card information, bank account information, usernames, passwords, or social security numbers have been affected because they were all encrypted.”

Wright said that Blackbaud told IHS that a backup file was accessed sometime between February and May 2020. Although sensitive information was encrypted, “we have determined that the file removed may have contained your name, address, email address, and a history of your relationship with our organization, such as donations.”

Ransomware attacks usually involve encrypting a victim’s data, then demanding a ransom to restore it. Notably, Blackbaud paid the attacker a ransom for “confirmation that the data they accessed had been destroyed.”

“Blackbaud has assured us that there is no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” Wright said.

IHS is nonetheless advising its donors to monitor their credit reports and accounts for suspicious activity and potential identity theft.

“We sincerely apologize for this incident and regret any inconvenience it may cause you,” Wright wrote. “We value our relationship with you and take our responsibility to ensure the security of your data very seriously.”

Write noted that other organizations in Hawaii and across the country use Blackbaud. In the United Kingdom, a leading homeless charity and six universities were affected by the Blackbaud breach.

Leave a Reply