Bank account information and users’ passwords are among details feared stolen by hackers in a security breach at a service used to raise donations from millions of people.
Many UK universities and charities, as well as hundreds of other organisations worldwide, use the software involved.
It added it was contacting affected clients. They, in turn, will need to send follow-up alerts to at least some of the donors they had already contacted about the incident.
Millions of people worldwide have been warned they could have been affected in the original alerts sent out about the attack over recent months.
The South Carolina-based company said the new findings did not apply to all clients affected by the hack, but acknowledged that, in some cases, the payment information involved had not been digitally scrambled, as might have been expected.
“Further forensic investigation found that for some of the notified customers, the cyber-criminal may have accessed some unencrypted fields intended for bank account information, social security numbers, user names and/or passwords,” its filing said.
“In most cases, fields intended for sensitive information were encrypted and not accessible.”
One cyber-security expert said it was essential that affected donors be told as soon as possible.
“It’s simply not acceptable to store financial data, and passwords, in an unencrypted form,” said Prof Alan Woodward from the University of Surrey.
“This latest revelation means that whereas their customers relied upon their initial statements to reassure people that banking information was not affected, that has now to be potentially reversed.”
The BBC has asked Blackbaud if any of its UK-based clients were among those affected but has yet to get a response.
In mid-August, the Information Commissioner’s Office said it knew of 166 UK organisations that had been affected by the security breach.
They included dozens of universities as well as health-related charities, schools and trusts set up to care for historic buildings.
International clients who were affected also included hospitals, human rights organisations, non-profit radio stations and food banks.
The hack occurred in May and was first disclosed to the public in July.
At the time, Blackbaud said it had paid the attackers a ransom and believed the thieves had subsequently destroyed the stolen data.
Paying a ransom in such circumstances is not illegal, but goes against the advice of numerous law enforcement agencies, including the FBI, NCA and Europol.
- United States