You may have received a data breach notice from an arts organization that uses Blackbaud products. Long story short, Blackbaud was the target of a ransomware attack where the criminals managed to make off with some user data.
The League of American Orchestras notified individuals in their database who may have had Personally Identifiable Information (PII) compromised. According to that email message, this included information “such as your physical and email addresses, telephone numbers, demographic information, and a history of your relationship with our organization, including donation dates and amounts.”
By and large, the League’s notification letter was a good example of what a data breach notice should include…right up until it wasn’t (emphasis added).
Although we currently have no reason to believe that your information will be misused, we encourage you to remain vigilant and promptly report any suspicious activity or suspected identity theft to us, to Blackbaud, and to the proper law enforcement authorities.
Cyberattacks are decidedly a by-the-grace-of-god type of event for any organization, but I am at a loss as to how any one would assume a cybercriminal won’t sell, trade, or use PII.
In case you’re wondering just how much of a problem data breaches have become over the years, here’s a good visualization of the largest data breaches and hacks since 2009 (interactive version):