As a valued supporter of The Christie charity, I want to let you know that we have been made aware of a security incident involving some of your personal data that the Charity holds.  

Before I explain more of the details and the steps we have taken, I want to say sorry for what has happened.

You do not need to take any action in relation to this incident.

Details of the breach

Like many charities, we use a third-party company to provide us with secure relationship management systems. The Christie charity uses Blackbaud, one of the world's largest providers of fundraising database software, to keep in contact with our supporters. They informed us on 16 July that they discovered and stopped a ransomware attack on their systems, although some data was compromised.

Many organisations across the globe that use their services have been affected, including over 125 charities and universities in the UK.

Blackbaud has assured us that the data compromised in the incident did not contain any password, bank account or credit card information.

Since then, we have been undertaking our own investigation to discover who and what type of data may have been affected.

Data which may have been affected

  • We believe that your name and the contact information you shared with us may have been accessed.
  • Any engagement you might have had with the charity in the past or future, such as signing-up for an event or a fundraising campaign.
  • The details of any donation you may have given to us in past (not any bank account or credit card details).

Blackbaud has confirmed to us that:

  • it has conducted an investigation (involving US and international law enforcement agencies);
  • no passwords, credit card details or bank account information were affected;
  • it obtained confirmation that the data removed by the cybercriminal was destroyed; and
  • it has no reason to believe that any data went beyond the cybercriminal or will be misused, disseminated or otherwise made available publicly.

You can see Blackbaud’s statement on this issue on the Blackbaud website.

We understand that this news may cause you some concern and we are very sorry for any distress or inconvenience caused by what is criminal activity against one of our service providers.

Further steps

We have taken the following actions in response to this incident: 

  • commenced a thorough investigation;
  • informed the Information Commissioner’s Office (ICO) about the breach;
  • asked Blackbaud to detail the steps that it will take to ensure that all our fundraising data remains secure and that it will not be affected by similar incidents in the future; and
  • asked for an explanation of the delay in Blackbaud informing us of this issue.

You do not need to take any action in relation to this incident.

However, we encourage you to remain vigilant and report any suspicious activity or suspected identity theft promptly to the police. You can also contact us if you want any further advice or reassurance.

We will let you know if there is any action you need to take in the future.

I want to assure you that we take data protection very seriously and are very disappointed with Blackbaud. Our privacy notice gives details about how we use your data and how to opt out of data processing activities.
If you have any questions or concerns about this matter, please email us at: the-christie.charitydata@nhs.net

Louise Hadley
Director of fundraising and corporate affairs