Notice of Data Security Event

On July 16, 2020, the Grand Rapids Public Museum was informed that one of our third-party vendors, Blackbaud, Inc. (“Blackbaud”), suffered a ransomware attack.  Blackbaud is a cloud computing provider that offers customer relationship management and financial services tools to many non-profit organizations, including the Grand Rapids Public Museum.

What Happened?  In May 2020, Blackbaud experienced a ransomware attack that impacted certain systems within the Blackbaud environment.  As a result of this incident, certain Blackbaud systems were encrypted and a database backup file related to the Grand Rapids Public Museum was removed from the Blackbaud environment by an unauthorized actor.  While Blackbaud’s investigation was able to determine that the backup file was removed between February 7, 2020 and May 20, 2020, its investigation was unable to confirm exactly when this occurred.  As a result, the unauthorized actor may have had access to certain information contained within the backup database.  Upon learning of this incident, the Grand Rapids Public Museum immediately began an investigation to determine the full nature and scope of the event and what, if any, data of the Grand Rapids Public Museum was impacted.

What Information Was Involved?  While Blackbaud reports that information was accessed, Blackbaud was unable to confirm what, if any, specific sensitive information was actually accessed or acquired by the unauthorized actor.  Therefore, out of an abundance of caution, the Grand Rapids Public Museum is notifying anyone whose sensitive information was potentially present in the impacted database at the time of this incident.  To date, the Grand Rapids Public Museum has not received any reports of actual or attempted misuse of anyone’s information.

What Are We Doing?  The confidentiality, privacy, and security of information in our care is one of our highest priorities and we take this incident very seriously.  When we were notified of this incident, we immediately commenced an investigation to determine what data of the Grand Rapids Public Museum may have been at risk.  Please know that the Grand Rapids Public Museum no longer receives membership, ticketing, or donation services from Blackbaud  Nonetheless, as part of our ongoing commitment to the security of information in our care, we are working to review our existing policies and procedures regarding our third-party vendors and are working with Blackbaud to evaluate additional measures and safeguards to protect against this type of incident in the future.  We will also be notifying state and federal regulators, as required.

For More Information.  If you have any questions about this incident, please email our dedicated email address at privacy@grpm.org.  You may also write to the Grand Rapids Public Museum at 272 Pearl Street NW, Grand Rapids, Michigan 49504.