LIMERICK people who have made financial donations to Children’s Medical & Research Foundation (CMRF) Crumlin, which provides vital funding for Childrens Health Ireland Crumlin, formerly Our lady’s Children’s Hospital, Crumlin, have been informed by the organization that they may have had their names, contact information and a history of their donations, accessed in a “ransomware attack” by cybercriminals.
CMRF Crumlin chief executive, Denise Fitzgerald, states in an email which was circulated to supporters on August 19th, that the organisation is undergoing an “internal review” following the incident.
A CMRF Crumlin spokeswoman was asked, but did not disclose how many supporters may have been impacted, and she added, “that is information which we would regard as commercially sensitive and as such will not be in a position to provide”.
The data breach, involving technology firm Blackbaud — which provides database systems to CMRF Crumlin — occurred last May, and CMRF was notified on July 16th.
“On being advised of the incident we immediately undertook our own investigation and advised the Data Protection Commissioner of the incident,” Ms Fitzgerald states in the email to supporters.
She goes on to explain that Blackbaud advised CMRF Crumlin that it “paid the cybercriminal’s demand” on condition the perpetrator destroyed the information it had copied.
“CMRF Crumlin were not the target of the attack and were not party to the decision to make any payment, we were only made aware of this payment after it had occurred.”
Ms Fitzgerald states that Blackbaud has advised CMRF Crumlin that it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly”.
Blackbaud is currently working with law enforcement authorities to investigate the incident.
“We have worked with Blackbaud for a number of weeks to fully investigate what happened and what data may have been affected and having ascertained that we are now updating you,” Ms Fitzgerald continues.
She adds that, although CMRF Crumlin “has ascertained that the data that may have been accessed does not include banking information, credit card details or sensitive personal data…it may have contained names, contact information including telephone numbers, email addresses and mailing addresses, as well as a history of supporter donations”.
Blackbaud has already implemented several changes to protect CMRF supporters data from any subsequent incidents, which can presently “withstand all known attack tactics”.
Ms Fitzgerald said that CMRF Crumlin “remain in regular contact with Blackbaud and will continue to monitor the company’s response, we have also started our own internal review”.
“The risk to supporters from this incident is very low, however, we would always advise that you should remain vigilant and report any suspicious activity to the relevant authorities” and that “it has taken some weeks to clarify the details surrounding the attack and the data accessed”.
A disclaimer at the end of the email reads: “You are receiving this email as you may have supported CMRF Crumlin in the past. CMRF Crumlin is notifying you of a data breach which may have affected your personal data.”