Michigan Attorney General Dana Nessel reminds Michigan residents, particularly college and other nonprofit donors, to watch out for fraudulent emails and phone calls seeking personal information or suspicious donation requests. This follows a ransomware attack on Blackbaud, a major provider of software services used by nonprofits in fundraising that resulted in the acquisition of donor information by a cybercriminal. Blackbaud customers include colleges, hospitals, churches and various other types of nonprofits throughout the U.S., including in Michigan.
Blackbaud notified affected customers using its services of the security breach, leaving it to those nonprofits to provide any notice to impacted individuals. The breach was reported by Blackbaud in mid-July.
The Blackbaud security breach and its impacts on nonprofits and consumers vary. Social Security numbers, credit card and bank account information were not accessed, according to Blackbaud. Accessed information generally included names, titles, telephone numbers, email addresses, mailing addresses, dates of birth and, more importantly, donor information such as donation dates, donation amounts, giving capacity, philanthropic interests and other donor profile information. Blackbaud claims that it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly” but, to date, has not announced any concrete substantiation of this claim.
Personal information with this level of detail, in the hands of fraudsters, is particularly susceptible to spear phishing – a fraudulent email to specific targets while purporting to be a trusted sender, with the aim of convincing victims to hand over information or money or infecting devices with malware. Anyone who receives a notification letter regarding the Blackbaud data breach should not dismiss the letter and should not only take the recommended steps in the notice. Recipients, and others, should also remain vigilant for suspicious emails, texts or phone calls asking for personal information, donations or other payments.
Nessel urges every Michigan resident who gets a text, email or call that is supposedly from an organization or business asking for login credentials, credit card, bank account or any other personal information to hang up and not respond.
For more information, read the Attorney General’s Consumer Alert Data Breaches, What to do Next.
Consumers are encouraged to file consumer complaints with the Michigan Department of Attorney General online or by calling 877-765-8388.