Smithsonian confirms that its donor data was potentially breached in ransomware attack

Hacking of Blackbaud software systems exposed hundreds of clients, including other US and UK nonprofits

The Smithsonian Institution in Washington, DC

The Smithsonian Institution and the Parrish Art Museum confirmed today that they were among the hundreds of organisations potentially affected by a ransomware attack earlier this year on a third-party software company in South Carolina that logs their data regarding fundraising and donors.

The hack on the systems of the software company, Blackbaud, gave an intruder access to information about donors and other constituents, including names, US addresses, phone numbers, summaries of donations and for some individuals, dates of birth, the Smithsonian says. The institution says it has begun notifying people linked to the Smithsonian whose information may have been accessible.

Previous news reports have identified other organisations whose data was potentially compromised as UK’s National Trust, Human Rights Watch, dozens of charities and universities in the UK and US, and the Corning Museum of Glass in New York.

The Smithsonian emphasises that the incident did not result in the exposure of any credit card information, Social Security numbers or banking information, saying that it does not collect or store this type of data.

Blackbaud says that after discovering the attack on its systems in May, it paid the hacker or hackers the ransom demanded, which it did not disclose. “We have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” the software company adds.

The Smithsonian says it was informed of the data breach on 16 July, just as other institutions were being alerted, and recently reached out to donors. “Based on the nature of the incident, Blackbaud assured us that any stolen data has been destroyed by the unknown actor and stated they do not believe any data was disseminated or otherwise made available publicly by the unknown actor,” the Smithsonian says. “We will continue to investigate to confirm Blackbaud’s assurances and better understand what occurred.”

The potential compromising of Smithsonian and Parrish Art Museum data was first reported by artnet News. Both the Smithsonian and the Parrish, in Water Mill, New York, subsequently confirmed the exposure of their data in emails to The Art Newspaper.