Middlebury College was among the Vermont educational institutions and nonprofits whose donor databases were hit by hackers earlier this year.
Donors to the college and other nonprofits have been asked to keep a close watch on their personal information after Blackbaud, the software company that some Vermont nonprofits use for fundraising, reported a ransomware attack involving donors’ personal information.
In Vermont, those affected included nonprofits Vermont Foodbank and Vermont Public Radio, in addition to Middlebury College.
Blackbaud, a South Carolina company that specializes in cloud-based fundraising software for nonprofits and educational institutions in the U.S., Canada and Europe, notified clients July 16 that its data had been stolen between Feb. 7 and May 20.
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” the company said in a statement.
One of Blackbaud’s clients is Middlebury College, which notified donors July 17 of the breach.
“It is important to note that the cybercriminal did not access your Social Security number and credit card numbers because Middlebury does not store this information in the database,” the college said, adding that Blackbaud had told the college there was no reason to believe the person who stole the information had used or disseminated it.
“The service provider has hired a third-party team of experts to continue monitoring for any such activity,” the college said. Spokesperson Sarah Ray declined to say how many donors were affected.
The Vermont Foodbank has notified its donors, Nicole Whalen, director of communications and public affairs, said July 23.
“It is our understanding that no sensitive information was involved in their incident,” Whalen said. “This means no financial information (including credit card or bank account information) was involved. We are also conducting our own investigation with a privacy expert to confirm that the information of our donors was not affected.
Vermont Public Radio is contacting all of its donors, starting with an email that went out to active members July 22 to let them know that their names, phone numbers, addresses and donor history were stolen. Credit card and bank account information are encrypted and “were not part of the attack,” VPR said in its notice.
“Upon receiving the notice, we immediately implemented our response plan and are working with privacy legal counsel to learn the full scope of the incident,” VPR said. “If we determine that personal information was acquired by the attackers, we will notify any individuals whose personal information was involved.”
It’s not clear why it took Blackbaud from May until July to inform its clients of the breach.
“That is one of the concerns we are continuing to bring up with them,” said  Brendan Kinney, VPR’s senior vice president for development and marketing. “Their explanation was that they needed time to complete their investigation of what happened, as well as consult with law enforcement and develop a communication plan for customers.”
VPR, which has been in business for 40 years, has a large database that includes 116,000 records from donors past and present, with about 25,000 active members. Those 25,000 donate about $5 million a year, or nearly two-thirds of the public radio station’s approximately $9 million annual budget, Kinney said.
“We’ve heard from donors who are appreciative that we shared the information and are being transparent, donors concerned about the security of their information, and some donors also asked to have their sustaining memberships (a monthly donation) canceled,” said Kinney, who added VPR is still notifying donors.
According to its 2019 annual report, Blackbaud, a publicly traded company with 2018 revenues of $850 million, serves more than 45,000 nonprofits, foundations, companies, educational institutions and health care organizations in more than 100 countries at the end of 2019.
Scott Finn, VPR’s president, said it’s not clear if VPR will continue using Blackbaud to handle its donations.
“That’s still to be determined,” he said.