The software provider at the centre of a ransomware attack that affected dozens of charities earlier in the summer has admitted that some financial information might have been stolen.
Blackbaud is one of the biggest providers of fundraising, financial management and supporter management software to the UK charity sector.
It is not clear how many charities might have been affected.
After Blackbaud was hacked in May, several charities came forward to admit they had been caught up in the cyber attack.
The Charity Commision later confirmed that at least 30 UK charities had been affected.
The US-based technology company apologised to customers and said it had made changes to avoid a similar attack in the future.
Blackbaud also paid the ransom to ensure that data would not be made publicly available or shared elsewhere.
Affected customers were told that only names, addresses, email addresses and telephone numbers had been stolen.
But in a new filing with the US Securities and Exchange Commission, Blackbaud said: “After 16 July, further forensic investigation found that for some of the notified customers, the cyber-criminal may have accessed some unencrypted fields intended for bank account information, social security numbers, user names and/or passwords.
“These new findings do not apply to all customers who were involved in the security incident. Customers who we believe are using these fields for such information are being contacted the week of 27 September 2020 and are being provided with additional support.
“We expect our security incident investigation and security enhancements to continue for the foreseeable future. We intend to continue to inform our customers, stockholders and other stakeholders of any such additional information or developments as possible.”