Dear Brothers & Sisters in Christ,
In an effort to maintaining transparency with our parishioners, congregations, institutions, and donors, I want to let you know that on July 16, 2020, our third-party vendor, Blackbaud, one of the world’s largest cloud software providers for higher education and not-for-profit organizations contacted us in regards to a security incident. Unfortunately, they were the victim of a data security incident in May 2020. We take the protection and proper use of your information very seriously. We are, therefore, contacting you to explain the event and provide you with steps to protect yourself.
Committed to data integrity and transparency, the Diocese enlists services provided by Blackbaud because they are beneficial to our data analysis and benchmarking processes. The nature of our relationship with Blackbaud is minimal. As such, only publicly available information from the Diocese’s relationship was exposed in this breach. Please be assured that no bank account numbers and credit/debit card information were involved. Additionally, we do not ask for Social Security numbers and have never kept them in our database.
What Diocesan Information Was Involved
The data accessed by the cybercriminal may have contained public constituent information such as name, address, phone numbers, and email addresses for parishioners and clergy members.
We want to reassure our community that:
Blackbaud, along with law enforcement and third-party cybersecurity experts, conducted a detailed forensic investigation and took mitigating steps to address this breach.
Blackbaud confirmed that the investigation found no encrypted information, such as bank account details or passwords, was accessible and that credit card information was not part of the data theft. (Regardless, the Diocese does not store data of this nature in the Blackbaud environment.)
Blackbaud has committed to strengthening its data environment, including improving the specific vulnerability that enabled this breach.
Our Response and Moving Forward
While the nature of this breach was significant, the Diocesan data compromised proved to be less critical than other higher education institutions around the country and in the United Kingdom. In the process of conducting our internal investigation, we wanted to notify you so that you are aware of this breach of Blackbaud’s systems.
There is no need for our community to take any action at this time. As a best practice, we recommend individuals remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
The Episcopal Diocese of Oklahoma remains in contact with Blackbaud regarding the details of this incident. We are continuing to monitor their response.