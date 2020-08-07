WHEELING—The Diocese of Wheeling-Charleston was notified on July 16, of a ransomware cyber attack on one of its service providers, Blackbaud. Blackbaud is one of the world’s largest providers of customer relationship management systems for not-for-profit organizations and is utilized by many Dioceses across the country, as well as the WVU Foundation. The Diocese enlists Blackbaud to manage several databases including mailing lists, donor lists, and electronic mailing lists.

In the ransomware attack, the cybercriminal was able to gain access to a subset of constituent data from several of Blackbaud’s clients, including the Diocese of Wheeling-Charleston. An investigation by Blackbaud confirms that no encrypted information, including bank account numbers, Social Security numbers, and credit or debit card information was compromised. Officials with Blackbaud state that data accessed by the cybercriminal may have included constituent information such as name, title, date of birth, spouse, phone numbers, and email addresses.

In order to protect that data and to reduce potential identity theft, Blackbaud has met the demands of the cybercriminal, paid the ransom, and was assured by the attacker and third-party experts that the data has been destroyed. Additionally, Blackbaud has assured its clients that it is monitoring the web in order to verify that the data stolen has not been misused.

Ways we have always maintained the security of your information:

* We follow industry-standard best practices for all of our onsite systems;

* We have a Next-gen firewall for all onsite systems that monitors and filters all traffic into and out of our network and prevents threats from entering these systems;

* We utilize a Multi-Factor Authentication (MFA), similar to the technology that banks use for online banking, that secures access to our hosted electronic mail system;

* Endpoint security on all network devise adds another layer of protection;

* Continuing end-user training and education helps our users to identify suspicious activity and e-mail-based attacks;

* Credit card and banking information is not stored on our servers and is encrypted once it is processed;

* A third-party provider ensures that internal systems are PCI (Payment Card Industry) Compliant to prevent cardholder data theft.

Steps we have taken in response to this attack:

* We are notifying affected constituents to make them aware of this breach of Blackbaud’s systems so they can remain vigilant;

* We are working with Blackbaud to understand what actions they are taking to increase its security;

* We are taking steps to learn how many other parties in the non-profit sector have been affected.

While the Diocese of Wheeling-Charleston believes that you do not need to take any action at this time, we feel that out of an abundance of caution, it is important that you remain vigilant and report any suspicious activity or suspected identity theft immediately, to the proper authorities.

The Diocese is continuing to work with Blackbaud as it investigates this incident and will update you accordingly.

Again, no encrypted information, bank account numbers, Social Security numbers, or credit or debit card information was compromised. For more information regarding this incident, please contact Rich Harrold, Diocesan Director of Information Systems and Security, at rharrold@dwc.org or 304-233-0880.

The Diocese sincerely apologizes for any inconvenience this breach of Blackbaud’s system has caused. Please be assured of our continued commitment to data protection and our prayerful thanks for your support of the Diocese.