Cyber Incident Victim: The Donkey Sanctuary
Date:
May 2020
Location:
United Kingdom
Summary
A cyber-attack targeting Blackbaud, a third-party supplier managing the charity's supporter database, resulted in unauthorized access to children's personal information including names, birthdates, addresses, and contact details. The breach impacted The Donkey Sanctuary's supporters, with compromised data involving minors who participated in adoption programs and therapy services. While financial data remained secure due to encryption, the incident caused significant concern among affected families, exacerbated by delayed notification months after discovery. Blackbaud asserted the stolen data was destroyed and unlikely to be misused, collaborating with law enforcement to mitigate the attack. The charity emphasized ongoing efforts to enhance security and advised vigilance against potential identity fraud despite assessing the immediate risk as low.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, The Donkey Sanctuary, a charity operating a sanctuary in Sutton Park, discovered a data breach affecting its supporter database managed by third-party software provider Blackbaud. The breach occurred when cybercriminals targeted Blackbaud’s systems, potentially accessing personal information of supporters, including children who participated in adoption programs and therapy services. Compromised data included names, addresses, telephone numbers, email addresses, and dates of birth. The charity stated financial information such as bank details, credit card numbers, and passwords remained secure due to encryption. Blackbaud notified The Donkey Sanctuary of the incident after the breach was contained, though the charity acknowledged being informed only recently before issuing notifications in August 2020—approximately three months after discovery.
The Donkey Sanctuary sent letters to affected families in August 2020, confirming the exposure of children’s data and apologizing for the delay in notification. Blackbaud reported collaborating with law enforcement to disrupt the attackers’ access and claimed the stolen data had been destroyed with no evidence of misuse. The charity advised supporters to remain vigilant against identity fraud but emphasized the low risk assessed by Blackbaud. Parents expressed concern over the delayed disclosure, with one noting the incident could undermine trust in the charity. The Donkey Sanctuary worked with Blackbaud to investigate the breach and implement enhanced security measures, directing concerned individuals to contact their data protection officer via email. The organization declined to disclose the number of affected supporters.