Cyber Incident Victim: East Anglia's Children's Hospices
Date:
Jul 2020
Location:
United Kingdom
Summary
A children's hospice charity experienced a data breach when its third-party cloud service provider, Blackbaud, suffered a cyberattack compromising historical donor information including names, contact details, and donation records, though no financial data was accessed. The organization promptly notified regulators and potentially affected individuals, assessing the risk of data misuse as minimal despite the international scope of the incident impacting numerous nonprofits and educational institutions globally through the compromised software platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2020, East Anglia's Children's Hospices (EACH), a UK charity with the Duchess of Cambridge as patron, was notified by its cloud services provider Blackbaud about a global data breach affecting multiple organizations. The US-based software firm, which managed EACH's donor management systems, reported that cyber attackers had compromised its network and stolen a backup file containing historical supporter information. The breached data included personal details of EACH donors recorded prior to January 2017, specifically names, physical addresses, email addresses, and donation histories. No financial information such as credit or debit card details was accessed during the incident. The breach formed part of a wider international cyberattack targeting Blackbaud's clients across the charitable and educational sectors, ultimately impacting hundreds of organizations globally. EACH confirmed the compromised data related exclusively to records maintained by Blackbaud and didn't involve more recent information stored internally after January 2017. While the exact method of the Blackbaud system intrusion wasn't disclosed by the charity, the incident represented a third-party supply chain attack affecting multiple dependent organizations simultaneously through a single vendor compromise.
Upon notification in July 2020, EACH initiated coordinated response actions beginning with an internal assessment conducted alongside Blackbaud to establish the breach's specific impact on their donor records. The charity formally reported the incident to the UK Information Commissioner's Office (ICO) as required under data protection regulations. Although EACH assessed the risk of data misuse as "extremely low," it proactively mailed notification letters to all potentially affected donors by mid-August 2020, detailing the scope of exposed information and reassurance measures. The organization maintained ongoing communication with Blackbaud throughout the investigation to monitor developments and ensure compliance with remediation protocols. By August 13, 2020, the ICO had registered 166 separate breach reports related to the Blackbaud incident as part of its broader investigation into the transnational cyberattack. EACH's public statements emphasized transparency regarding the third-party breach while clarifying that their operational systems remained unaffected and current donor records weren't compromised. The charity directed concerned supporters to official channels for additional information but didn't report any direct financial losses or service disruptions resulting from the data exposure.