Statement concerning Blackbaud data incident

On 16th July MicroLoan was informed by Blackbaud, a trusted, leading global software provider for non-profit organisations, that they had been the victim of a ransomware attack on its systems in May 2020.

Blackbaud reported that the incident involved a cybercriminal removing a copy of a subset of data and demanded a ransom for either its return or confirmation of its destruction. Upon receiving credible confirmation that the data had been destroyed, Blackbaud paid the ransom. Blackbaud have confirmed that absolutely no credit card details or bank account information was included within the data subset, as this sensitive information has an additional layer of encryption on the site and is never actually stored in the database.

You can read Blackbaud’s full statement about the incident here.

MicroLoan are a client of Blackbaud and we use their services to support communications with our incredible supporters, enabling us to keep donors updated on our news, events and campaigns. We have received no evidence that any MicroLoan data was compromised by this incident. However, personal information including names and contact information such as addresses and phone numbers are stored on this system.

At MicroLoan we take data protection extremely seriously and have Data Protection Officers within the organisation who ensure all information is managed responsibly and in line with official guidance. We have been in contact with the UK data protection regulator, ICO, over this incident and are reviewing our current data protection practices, which we believe remain safe and secure. All evidence suggests that the risk of MicroLoan’s data being compromised in the future is very low. The ICO has confirmed it agrees with MicroLoan and Blackbaud’s assessment that the incident should be considered a low threat to our donors’ information.

This situation is ongoing and we are continuing to follow the information and guidance provided by both Blackbaud and the ICO. We will update this page with further information as the situation develops.

We really appreciate your continued support and understanding. If you have any questions about this incident, please do not hesitate to contact our Data Protection Officer Malin Rosenkvist at malin.rosenkvist@mlf.org.uk.