Blackbaud, Inc. is a vendor that provides a variety of specialized customer relationship management products to universities and nonprofits, including many in Minnesota. They recently reported they discovered and addressed a cybersecurity incident that affected many of their customers, including the University and the University of Minnesota Foundation. This incident may have given a third party access to certain Blackbaud client information for a limited period of time.
The incident included only name, address and/or date of birth of certain University donors, alumni, and other supporters. Please be assured that we do NOT store Social Security numbers, bank account, or credit and debit card information, and therefore none of this information was part of the incident.
Blackbaud has engaged third party forensic experts to actively monitor the possible use of this information and to notify individuals upon detection of misuse. No misuse has been reported and we do not believe there is a need for you to take any action at this time. As a best practice, we recommend that you remain vigilant and promptly report to the proper law enforcement authorities any suspicious activity or suspected identity theft.
We sincerely apologize for this security incident of our vendor. The University and University of Minnesota Foundation understand the tremendous responsibility we have to protect the data we hold. Though this occurred with a third party, we are actively and thoroughly reviewing the incident.
On July 16, Blackbaud Inc. notified us and many of our peer organizations of a data security incident affecting higher education institutions and nonprofits across the United States. Blackbaud is one of the world’s largest providers of cloud-based fundraising and finance services for nonprofit organizations and the higher education sector.
The incident occurred between February 7 and May 20. Blackbaud informed us that they discovered and stopped a ransomware attack and, with the help of independent forensic experts and the Federal Bureau of Investigation (FBI), successfully prevented the third party from blocking or encrypting files.
However, the third party was able to remove data belonging to Blackbaud clients. This may have included information from the University of Minnesota Foundation.
The University of Minnesota Foundation does NOT store Social Security numbers, bank account, or credit and debit card information, and therefore none of this information was part of the incident. UMF data that may have been accessed in the Blackbaud database included only name, address and/or date of birth of certain University donors, alumni, and other supporters.
Blackbaud has informed us that in order to protect client data and mitigate potential identity theft, they met the cybercriminal’s ransomware demand and received assurances from third-party experts that the data was destroyed. Blackbaud has retained experts to continue to monitor the web in an effort to verify the data accessed has not been misused. In addition, Blackbaud reports that it is implementing enhanced security controls to protect its clients’ data.
We immediately launched our own investigation with University Information Security. We requested more information from Blackbaud to understand why there was a delay in notifying us following discovery of the incident and to learn what additional security measures have been taken. We assessed the exact impact of the incident on our data and notified impacted individuals directly to comply with state-by-state legal obligations.
Blackbaud helps to source, in aggregation, additional public information that may help determine a person’s likely affinity for the University.
We do not believe there is a need for you to take any action at this time. Although there is currently no evidence that your information has been misused, as a best practice we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.
If you have additional questions about this security incident, please direct inquiries to email@example.com.