Statement on Blackbaud Security Incident

August 26, 2020

On July 16, 2020 Mercy Corps was notified of a cyberattack on one of our suppliers, Blackbaud, a cloud-based software company that provides services to many organizations around the world and utilized by Mercy Corps’ United States operation.

Mercy Corps has been informed, along with many other organizations, that the information of donors stored in our United States database hosted by Blackbaud may have been accessed as a result of the cyberattack. The information could have included names, addresses, email addresses, telephone numbers and birth dates. No financial information, such as credit card or bank account details, was involved in this incident. Further, we do not collect Social Security numbers, so that information is not involved in the incident.

We have been assured by Blackbaud that the risk to our supporters is low. The threat actors provided evidence to Blackbaud that the stolen information has been destroyed, and there is no reason to believe any data was or will be misused or will be disseminated or otherwise made available publicly. We encourage all Mercy Corps supporters to be wary of any unexpected communications and to always be vigilant when dealing with any suspicious emails, calls or mail.

We take the security of your data and privacy of our supporters very seriously, and we are very grateful for your contributions to Mercy Corps’ work around the world.

What happened?

Blackbaud reported to us that they discovered and stopped a cyberattack in May 2020, but not before the hacker gained access to its systems, copied a subset of data and held it for ransom. Blackbaud paid the ransom and received confirmation that the copied dataset was destroyed. For more details, you can read Blackbaud’s public statement on its website.

What information was accessed?

This security incident impacted a number of organizations, including Mercy Corps. Information about some of our supporters may have been accessed including names, addresses, phone numbers, email addresses, birth dates and relationship histories with Mercy Corps. Blackbaud assured us that no financial information (such as credit card and bank account details) was stored in the database that was compromised. No information related to supporters engaged through Mercy Corps’ European headquarters or other global offices was affected.

What Blackbaud and Mercy Corps are doing?

Blackbaud reported that based on the nature of the incident, its research and the investigation conducted by a third party cyber security firm which included law enforcement, there is no reason to believe that the data was or will be misused or will be disseminated or otherwise made available publicly. Blackbaud’s statement also describes changes they have implemented to prevent a similar event from happening again.

Mercy Corps takes the security of your data and privacy very seriously. Upon learning of the incident, we conducted an internal investigation to determine what information was involved in the incident and how it may affect our supporters. Mercy Corps remains in contact with Blackbaud regarding the details of this incident, and we are continuing to monitor its response.