Cyber Incident Victim: Pace Center for Girls
Date:
May 2020
Location:
United States of America
Summary
A Florida-based nonprofit serving girls through education and social services experienced a donor data breach stemming from a security incident at its third-party fundraising software provider, Blackbaud. Compromised information included donor names, physical addresses, phone numbers, birthdates, and philanthropic profiles such as giving histories, though financial data and Social Security numbers were unaffected as the organization did not retain such details. The breach impacted over 200 entities globally, prompting the nonprofit to notify affected supporters while enhancing existing encryption protocols with additional authentication measures to safeguard data. The incident disrupted donor management systems but did not compromise internal operational records.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Pace Center for Girls, a Florida-based non-profit organization, experienced a data breach impacting donor information due to a May 2020 security incident at Blackbaud, its third-party cloud computing and fundraising software provider. Blackbaud notified Pace of the breach, which compromised donor and fundraiser data including names, physical addresses, phone numbers, birthdates, and philanthropic profile details such as giving histories. Pace confirmed its internal systems remained unaffected and emphasized that sensitive financial data like credit card numbers or Social Security information was not stored in the compromised database. The breach affected only information managed by Blackbaud's systems. Over 200 organizations globally were impacted by the Blackbaud incident, including prominent entities like the Boy Scouts of America, the National Trust, and multiple universities across the United States, United Kingdom, and Australia.
On August 5, 2020, Pace formally notified approximately 30,000 donors—including individuals, corporations, and foundations—about the breach via email. The organization committed to maintaining direct communication with Blackbaud to monitor developments and pledged to implement enhanced authentication protocols alongside existing encryption measures for improved data protection. Established in 1985, Pace provides education, counseling, and advocacy services to over 3,000 at-risk girls annually across 21 Florida locations. The breach did not disrupt its core operations or internal record-keeping systems. CEO Mary Marx underscored Pace's reliance on donor funding while clarifying the limited scope of exposed data. No evidence suggested misuse of the compromised information at the time of disclosure.