Data Security Breach Incident and Action Log

6th August 2020

The computer software company ‘Blackbaud’, which hosts our database, notified us on 16th July that between 7th Feb – 20th May they had experienced a data breach in the form of an attempted cyber-attack.  They advised us that a copy of our data, which may have contained some people’s personal information, was taken. It is important to note that this did not include any bank account, credit card or password details as we do not keep any of this information. Blackbaud further advised us that the copy of our data was destroyed before it could be passed on further or misused.

The information given to us by Blackbaud can be read in full here. They had reported the incident to the Information Commissioners Office (ICO).

The BBC reported last week that more than 160 organisations including Universities such as Aberystwyth, Brunel, Liverpool and other organisations such as The National Trust and more than 30 charities including Breast Cancer Now, Crisis and Sue Ryder had reported the Blackbaud Security Breach. Blackbaud advised us ‘the majority of our customers were not part of the incident’.

Our Actions

In line with our privacy policy we followed our own procedures and assessed the risk of data being misused as being low. However, we still considered it important to report the incident to the ICO, which we did.

Given our ‘low risk’ assessment, the time that had lapsed between our being notified of the incident and the actual data security breach and Blackbaud’s assurances and actions, and noting the actions taken by other affected organisations and charities, we did not consider it appropriate to contact all those whose data we hold or to place a prominent notice on our website but have logged this notice here.

As a general precaution we will be making sure people who donate and support our work are made aware as follows:

Please note: SMA UK will never contact you personally to request a donation by phone. If you were to be contacted in this way this would be a scam and should be immediately reported to the police and us. More information about online security is available from the National Cyber Security Centre (www.ncsc.gov.uk).

This notice will be placed in appropriate places on our website / in communications.

If you have any concerns or question about this incident, then please contact us.