News: Blackbaud Data Security Incident

August 11, 2020

Diocesan logo

Blackbaud Data Security Incident

The Diocese of Des Moines was recently notified by one of its third-party service providers, Blackbaud, that a data breach had occurred sometime between Feb. 7, 2020 and May 20, 2020. Blackbaud offers cloud-based fundraising and finance services for not-for-profit organizations. 

Those responsible for the attack were able to access information belonging to several of Blackbaud’s clients, including the Diocese of Des Moines, as well as Catholic Charities, and the Catholic Tuition Organization.

Data that was accessed may have contained information such as name, mail and email address, date of birth, phone numbers, giving history, etc. for donors and vendors of the diocese, Catholic Charities or Catholic Tuition Organization.

Sensitive information that was not taken or accessed includes Social Security numbers, tax ID numbers, bank account, and credit and debit card information. Blackbaud encrypts such information for donor and vendor protection and therefore none of this information was part of the incident.

Blackbaud paid the ransomware demand to protect customer data and mitigate potential identity theft. The Diocese of Des Moines was not asked to and did not pay any part of the ransom paid by Blackbaud. Based on third-party investigations with law enforcement, Blackbaud does not believe any data went beyond the cybercriminal, was or will be misused, or was disseminated or will be available publicly. Blackbaud has assured us it has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused.

Upon learning of the data breach, the Diocese of Des Moines immediately launched its own Data Security Response protocols and have taken the following steps:

  • Leadership at the Diocese of Des Moines, Catholic Charities and Catholic Tuition Organization were made aware of the breach of Blackbaud’s systems so they can remain vigilant.
  • We have provided public notification of the breach of security through this post on our website.
  • We have notified our banking institutions and insurance providers of the breach.
  • Along with other institutions, we seek to understand the timeline between when the breach was found and Blackbaud’s July 16, 2020 public notification. 
  • We will continue to evaluate the scope of our relationship with Blackbaud going forward.

We do not believe there is a need for our donors or vendors to take any action at this time but in the interest of transparency, we want to share this news with you. As a best practice, we recommend that you remain vigilant and promptly report to the proper law enforcement authorities any suspicious activity or suspected identity theft.

For more information on this incident, please email the diocesan Communications Office or call 515-237-5046.