August 14, 2020

Notice of Blackbaud Data Incident

Concord Regional VNA was recently notified that a vendor, Blackbaud, discovered and stopped a ransomware attack affecting its systems. As reported by Blackbaud, data fields containing credit card or bank account information are encrypted and were NOT acquired or compromised during the incident. In the attempted attack, cybercriminals attempted to disrupt business by locking companies out of their own data and servers. Blackbaud’s Cyber Security Team along with independent forensics experts and law enforcement successfully prevented the cybercriminal from blocking access and fully encrypting files and locking them out of the system. 

Our agency takes the protection and proper use of your personal information seriously. We are contacting you voluntarily to explain the incident and provide you with steps you can take to protect yourself, even though the incident did not rise to the level of a breach that requires notification under applicable laws. 

Prior to locking the cybercriminal out, the cybercriminal removed a copy of the backup file containing personal information. This occurred at some point beginning on February 7, 2020 and could have been in there intermittently until May 20, 2020. It is important to note that the cybercriminal did not access your credit information, bank account information, or social security number. 

Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, their research, and third party with law enforcement investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.

A detailed explanation of what happened can be found on Blackbaud’s web site at www.blackbaud.com/securityincident

This incident did not involve a compromise of systems we maintain, but ensuring the safety of our supporters’ data is of the utmost importance to us. Blackbaud has already implemented several changes to protect your data from any subsequent incidents. They have identified the system vulnerability associated with this incident including the tactics used by the cybercriminal and acted to fix it. Through multiple testing, the fix has been confirmed to withstand all known attack tactics. Blackbaud is also working to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms.

As a best practice, we recommend you remain vigilant in regularly reviewing and monitoring all of your account statements and credit history to guard against any unauthorized transactions or activity. If you discover any suspicious activity or unusual activity on your accounts, please promptly contact your financial institution or company. While Blackbaud has not confirmed what specific information may have been impacted, and while Blackbaud has indicated that payment card information, banking information, and Social Security numbers were not impacted, we have provided information below about additional steps you can take to protect yourself against fraud and identify theft. 

We regret this incident and sincerely apologize for any inconvenience it may cause you. Please be assured it is safe to make your charitable contribution knowing that in addition to the safeguards mentioned above, your payment credit card and bank financial information are encrypted. 

Should you have any further questions or concerns regarding this matter and/or the protections available to you, please call Melissa Howard, Director of Donor Relations at (603) 224-4093 or e-mail her at crvnainfo@crvna.org

Sincerely,

Beth J. Slepian, President/CEO

 

 

Additional actions to help reduce your chances of identity theft


Place a 1-year fraud alert on your credit file
An initial 1-year security alert indicates to anyone requesting your credit file that you suspect you are a victim of fraud. When you or someone else attempts to open a credit account in your name, increase the credit limit on an existing account, or obtain a new card on an existing account, the lender should take steps to verify that you have authorized the request when a fraud alert is active. If the creditor cannot verify this, the request should not be satisfied. You may contact one of the credit reporting companies below for assistance.
 
TransUnion
Fraud Victim Assistance Dept.
P.O. Box 6790
Fullerton, CA 92834
1 (800) 680-8289
www.transunion.com
 
Experian
National Consumer Assistance
P.O. Box 1017
Allen, TX 75013
1 (888) 397-3742
www.experian.com
 
Equifax
Consumer Fraud Division
P.O. Box 105069
Atlanta, GA 30348
1 (800) 525-6285
www.equifax.com 

Place a security freeze on your credit file
If you are very concerned about becoming a victim of fraud or identity theft, a security freeze might be right for you. Placing a freeze on your credit report will prevent lenders and others from accessing your credit report in connection with any new credit application, which will prevent them from extending credit. A security freeze generally does not apply to circumstances in which you have an existing account relationship and a copy of your report is requested by your existing creditor or its agents or affiliates for certain types of account review, collection, fraud control or similar activities. With a security freeze in place, you will be required to take special steps when you wish to apply for any type of credit. This process is also completed through each of the credit reporting agencies. You should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. In order to request a security freeze, you will need to provide some or all of the following information to the credit reporting agency, depending on whether you do so online, by phone, or by mail: 1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.); 2. Social Security Number; 3. Date of birth; 4. If you have moved in the past five (5) years, the addresses where you have lived over the prior five years; 5. Proof of current address such as a current utility bill, telephone bill, rental agreement, or deed; 6. A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.); 7. Social Security Card, pay stub, or W2;8. If you are a victim of identity theft, include a copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft.

Order your free annual credit reports
You can obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies once every twelve (12) months. Visit www.annualcreditreport.com or call 1-877-322-8228. Once you receive your credit reports, review them for discrepancies. Identify any accounts you did not open or inquiries from creditors that you did not authorize. Verify all information is correct. If you have questions or notice incorrect information, contact the credit reporting company.
 
Manage your personal information
Take steps such as: carrying only essential documents with you; being aware of whom you are sharing your personal information with; and shredding receipts, statements, and other sensitive information. Remain vigilant by reviewing account statements and monitoring credit reports.
 
Use tools from credit providers
Carefully review your credit reports and bank, credit card and other account statements. Be proactive and create alerts on credit cards and bank accounts to notify you of activity. If you discover unauthorized or suspicious activity on your credit report or by any other means, file an identity theft report with your local police and contact a credit reporting company.
 
Be aware of suspicious activity involving your health insurance
Contact your healthcare provider if bills do not arrive when expected, and review your Explanation of Benefit forms to check for irregularities or suspicious activity. You can also contact your health insurance company to notify them of possible medical identity theft or ask for a new account number.
 
Rights under the fair credit reporting act (fcra)
You have rights pursuant to the Fair Credit Reporting Act, such as the right to be told if information in your credit file has been used against you, the right to know what is in your credit file, the right to ask for your credit score, and the right to dispute incomplete or inaccurate information. Further, pursuant to the Fair Credit Reporting Act: (i) the consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information; (ii) the consumer reporting agencies may not report outdated negative information; (iii) access to your file is limited; (iv) you must give consent for credit reports to be provided to your employees; (v) you may limit "prescreened" offers of credit an insurance you get based on information in your credit report; (vi) and you may seek damages from a violator. You may have additional rights under the Fair Credit Reporting Act not summarized here. Identity theft victims and active duty military personnel have specific additional rights pursuant to the Fair Credit Reporting Act. We encourage you to review your rights pursuant to the Fair Credit Reporting Act by visiting https://files.consumerfinance.gov/f/201504_cfpb_summary_your-rights-under-fcra.pdf, or by writing Consumer Response Center, Room 130-A, Federal Trade Commission, 600 Pennsylvania Ave. N.W., Washington, D.C. 20580.
 
Obtain more information about identity theft and ways to protect yourself
You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself, by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General. Additionally, any suspected identity theft should be reported to law enforcement, including your state Attorney General and the Federal Trade Commission. Additional information is available at www.annualcreditreport.com. Under Rhode Island and Massachusetts law, you have the right to obtain any police report filed in regard to this incident.

Visit www.experian.com/credit-advice/topic-fraud-and-identity-theft.html for general information regarding protecting your identity.
 
Additional Actions to Help Reduce Your Chances of Identity Theft
The Federal Trade Commission has an identity theft hotline: 1-877-438-4338; TTY: 1-866-653-4261. They also provide information online at
•    www.ftc.gov/idtheft. For Mail: Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Ave., N.W., Washington, DC 20580.
•    For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-888-743-0023, www.oag.state.md.us.
•    For New York residents, you may contact and obtain information from these state agencies: New York Department of State Division of Consumer Protection, One Commerce Plaza, 99 Washington Ave., Albany, NY           12231-0001, 518-474-8583 / 1-800-697-1220, www.dos.ny.gov/consumerprotectionl; and New York State Office of the Attorney General, The Capitol, Albany, NY 12224-0341, 1-800-771-7755  https://ag.ny.gov
•    For North Carolina residents, the Attorney General can be contacted at 9001 Mail Service Center, Raleigh, NC 27699-9001, 1-877-566-7226 or 1-919-716-6400, www.ncdoj.gov.
•    For Rhode Island Residents, the Attorney General can be contacted at 150 South Main Street, Providence, RI 02903, www.riag.ri.gov or 401-274-4400.