We take the protection of your information very seriously. As soon as we were alerted on July 16, 2020, our staff immediately started taking action to lock down our data. Simultaneously, we were working to learn more about this incident so we could knowledgeably inform and explain the circumstances, the steps that have been taken in response, and actions you may consider.
WHAT HAPPENED?
Blackbaud (one of the world’s largest providers of financial and fundraising technology to nonprofits), was hacked and data from its clients throughout the world, including AFAS, was held for ransom by cybercriminals. This was a very sophisticated ransomware attack that began on February 7, 2020, and may have continued intermittently until May 20, 2020. Blackbaud paid an undisclosed ransom to the criminals after evidence showed that the stolen data had been destroyed. Blackbaud says the results of its research and that of forensics experts and law enforcement (the F.B.I.) indicate that it is highly unlikely that the stolen information was ever released, misused, or will be disseminated or otherwise made available public. Blackbaud and independent agencies are continuing to monitor the situation. We were first notified on July 16, 2020.
WHAT INFORMATION WAS INVOLVED?
According to Blackbaud, the criminals did not have access to what is commonly referred to as Personally Identifiable Information – encrypted credit card information, bank account information, usernames, passwords, or Social Security numbers stored in client databases. However, Blackbaud did determine that the compromised information may have contained some of the following:
- Contact information (Name, mailing address, phone, and email addresses)
- Contact demographical information (Age, gender, birthday, relationship to AFAS)
WHAT ARE WE DOING?
Upon learning of this security incident, AFAS contacted Blackbaud to understand the nature of the situation and what data was compromised. We also notified our Board’s Executive Committee, legal counsel and contacted our cybersecurity insurance provider to obtain better guidance on how to respond to this incident while protecting our customers.
We have notified all of our stakeholders and we stopped processing donations using Blackbaud’s systems effective August 11, 2020. We have reverted to a donation tracking provider we used in the past, while we search for a long-term solution. The security of our database and donor management system is of the utmost importance to us, so we believe these steps are necessary to ensure the future safety of your information.
WHAT YOU CAN DO?
Maintain strong personal security processes. Change passwords often and don’t share a single password with multiple sites. Two-step verification is often mentioned as a best practice, we recommend you remain vigilant by routinely reviewing financial statements and promptly report any suspicious activity or suspected identity theft to your financial partners and proper law enforcement authorities.
FOR MORE INFORMATION
While the nature of this incident does not legally require that we inform our donors, we pride ourselves on our transparency, so it is important to us that we keep you informed.
AFAS leadership and staff aspire daily to practice our business with integrity, honesty, truthfulness, and adherence to our absolute obligation to safeguard the public trust. As a valued donor, know that we value your privacy and freedom of choice.
We sincerely regret any inconvenience or concern caused by this incident. We, like you, are deeply disturbed by what has occurred and will continue to work hard to further secure our internal systems and vet our business partners’ security protocols. Hopefully, your trust and support of AFAS is reassured by our prompt response and transparency. As always, we thank you for your support, and we hope that you will continue as a strong partner in the support of our Airmen and their families.