Statement Regarding Blackbaud Data Breach

31 July 2020

Manchester Foundation Trust Charity uses a Data Processor, Blackbaud, to manage our donor database and supporter communication systems.

Blackbaud is an industry-recognised provider which is used by many charities both in the UK and internationally.

We are notifying you of a data breach which may have affected your personal data.

What Happened

On the 16th July 2020 Blackbaud notified us of a security incident. At this time, we understand they discovered and stopped a ransomware attack.

After discovering the attack, Blackbaud’s Cyber Security team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system.

Prior to stopping the ransomware attack the cybercriminal removed a copy of the backup file containing your personal information. This occurred at some point beginning on 7th February 2020 and could have been in there intermittently until 20th May 2020.

What Information Was Involved

Blackbaud has assured us that the cybercriminal did not access any bank details which we may hold on your record, and, please note that we do not store any credit card information.

Blackbaud has informed us that the file that was removed may have contained some personal information about you, such as your name, address, mobile number, email address and a history of your relationship with us, such as donation dates and amounts.

Blackbaud has informed us that based on the nature of the incident, their research, and third party (including law enforcement) investigation, they have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or, will be disseminated or otherwise made available publicly.

Next Steps

We are conducting our own investigation and we have logged this data breach with the Information Commissioner’s Office (ICO).

As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the appropriate authority.

Guidance on reporting fraud and Cyber Crime can be found using the following link:

https://www.actionfraud.police.uk/reporting-fraud-and-cyber-crime

In the meantime, should you have any further questions or concerns regarding this matter, please contact us on 0161 276 8986, or, charity.office@mft.nhs.uk  Our office is open Monday to Friday, 8:30am – 5pm.

Manchester Foundation Trust Charity supports the work of Manchester University NHS Foundation Trust (MFT). MFT is the registered data controller for Manchester Foundation Trust Charity.

Manchester Foundation Trust Charity is registered with the Charity Commission as Manchester University NHS Foundation Trust Charity. Registered charity number 1049274. Manchester Foundation Trust Charity’s family of hospitals comprises:

  • Manchester Royal Infirmary
  • Wythenshawe Hospital
  • Royal Manchester Children’s Hospital
  • Manchester Royal Eye Hospital
  • Saint Mary’s Hospital
  • Manchester University Dental Hospital
  • Withington Community Hospital
  • Trafford General Hospital
  • Altrincham Hospital