Sunnybrook Statement: Notice of Blackbaud data breach
September 30, 2020 Update: Blackbaud confirmed to Sunnybrook Foundation that upon further investigation there were no additional impacts to the Sunnybrook system beyond what was originally communicated.
Sunnybrook Foundation recently learned that one of our third party service providers, Blackbaud, experienced a ransomware attack that involved many of its charitable and not-for-profit organizations around the world, including Sunnybrook Foundation. In a ransomware attack, cyber criminals attempt to disrupt a business by locking companies out of their own data and servers.
Sunnybrook Foundation uses Blackbaud’s customer management relationship platform to manage donor and organization data.
Financial information such as banking or credit card information was not impacted.
What happened
Blackbaud has told us that, after discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking system access and fully encrypting files; and ultimately expelled them from the system.
Blackbaud informed Sunnybrook that Blackbaud paid a ransom and the cybercriminal confirmed that copies removed were destroyed.
Blackbaud has also hired a forensic firm to monitor the internet and dark web for any signs of the breached data.
What information was involved
A subset of our donor database was impacted. We believe that the data could have included name, address, email address and details of online donations to Sunnybrook Foundations.
Financial information such as banking or credit card information was not impacted. Data involved in this incident came from the Sunnybrook Foundation only. Hospital records were not involved in any way.
What Sunnybrook Foundation is doing
We have notified directly by email the individuals whose information may have been impacted by the breach. If we learn through our investigation that additional donor information was accessed, we will contact those donors directly.
Sunnybrook Foundation takes donor privacy and data security seriously and we continue to work with Blackbaud to understand why this happened and what steps they are taking to increase their security.
What you can do
There is no further action for you to take at this time, but we recommend and encourage you to remain vigilant and report any suspicious activity or any suspected identity theft to your local law enforcement agency.
We regret the inconvenience that this issue may cause. We are here to address your questions or concerns. You can contact the Sunnybrook Foundation team by emailing foundation@sunnybrook.ca.