This is a disclosure of a data security incident involving a third-party vendor of Twin Cities Habitat for Humanity. The vendor provides services to nonprofits all over the world, and so you may be seeing similar notices from other organizations where you have made financial contributions in the past.
On July 16, 2020, we received a notification from Blackbaud—a company that provides us data management and software services—that Blackbaud had discovered and stopped a cyber-attack that impacted certain Twin Cities Habitat information. According to Blackbaud, it was the victim of a ransomware attack in May of 2020. The criminal accessed certain backup files, including data specific to Twin Cities Habitat. Blackbaud contacted law enforcement and engaged cyber security consultants, paid the ransom, and received assurances that the criminal destroyed the files that had been acquired. According to Blackbaud: “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Twin Cities Habitat does not use Blackbaud to store or manage any financial information, so no financial information was impacted by this incident. The files that were accessed by the criminal included some personally identifiable information, specifically names, addresses, dates of birth, and some information regarding donation and volunteer activities. Because they were backup files, no information was lost.
Twin Cities Habitat engaged legal counsel and has communicated directly with Blackbaud. We believe that Blackbaud responded to this incident appropriately and have determined that this incident is not reasonably likely to subject you to a risk of harm. We trust Blackbaud’s report that the criminal was expelled from its system, and that it has no reason to believe that your personal information went beyond the criminal. Blackbaud will continue to monitor the dark web for evidence that information went beyond the criminal.
We have also taken appropriate internal measures related to our use of Blackbaud’s services and will continue to assess our ongoing relationship with Blackbaud.
No financial information was involved, and we believe the data was destroyed, and so we do not believe that this incident creates a risk of harm to our donors and volunteers. As always, you should remain vigilant and use best practices to prevent identify theft, including using complex and unique passwords online, and be on the lookout for email scams. You can learn more from Minnesota’s Attorney General at: https://www.ag.state.mn.us/Consumer/Publications/IdentityTheft.asp
We at Twin Cities Habitat appreciate your trust, and regret this has occurred. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
If you have any questions, please reach out to Twin Cities Habitat at firstname.lastname@example.org.