Cyber Incident Victim: National Trust

In May 2020, US cloud computing and software provider Blackbaud suffered a ransomware attack that compromised data belonging to the National Trust’s volunteer program. The UK-based heritage conservation charity was notified by Blackbaud on July 16, 2020, about the incident, which exposed personal information of past and present volunteers and volunteer program applicants. Compromised data included names, dates of birth, gender, addresses, and contact details, along with limited equality monitoring information classified as sensitive. National Trust Chief Information Officer Jon Townsend confirmed in an August 7, 2020 email to volunteers that no financial data or membership systems were affected by the breach. Blackbaud assured the Trust that all stolen data related to their systems had been destroyed following the attack. The ransomware incident specifically targeted Blackbaud’s infrastructure rather than National Trust’s direct systems.

Upon receiving notification from Blackbaud in July, the National Trust initiated response procedures including formal reporting to the UK Information Commissioner’s Office. The organization directly notified affected volunteers via email on August 7, 2020, detailing the scope of compromised information while emphasizing that no volunteer action was required. Townsend’s communication acknowledged the concern caused by the breach and reiterated the Trust’s commitment to data protection, stating they were reassessing data management security protocols. The charity established a dedicated email contact point for volunteer inquiries related to the incident. National Trust collaborated with Blackbaud to investigate the attack’s specifics while maintaining that their membership databases remained unaffected throughout the event. This breach exclusively impacted volunteer program data managed through Blackbaud’s third-party systems.