Blackbaud Data Incident
The information here relates to a recent data security incident experienced by Blackbaud, a third-party service provider to Goodenough College. This incident also involves a significant number of UK, US and Canadian educational, health and not-for-profit organisations, and includes some Goodenough College data.
We do not currently believe there to be a significant risk, nor any need for Alumni to take any action at this time.
However, we take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are provided below, including the steps we have taken in response.
On 24 July, we were contacted by Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack between February and May 2020. Whilst they ultimately managed to lock the cybercriminal out of their systems, prior to this, the cybercriminal was able to remove a copy of a subset of data from a number of their clients.
You can read more about Blackbaud’s own account and their response at: www.blackbaud.co.uk/newsroom/news-archives/2020/07/16/learn-more-about-the-ransomware-attack-we-recently-stopped
Am I affected?
Based on the information provided to us by Blackbaud, we are sharing details of this breach of their systems with members of our community who we believe may have been affected.
The College uses NetCommunity, which is hosted and run by Blackbaud, and our data on NetCommunity was breached in the hack. If you have made a donation through our website; registered for an event; or signed up to the Alumni portal using the online forms created in Blackbaud NetCommunity (all via our website) your data may have been accessed.
What information was involved?
Blackbaud has confirmed to us that the data accessed by the cybercriminal may have contained some of the following information:
- basic details e.g. your name and title
- addresses and contact details e.g. home address, email address and telephone number (if provided)
- donations made and donation amounts.
We have been informed that Blackbaud chose to meet the cybercriminal’s ransomware demand, paying the ransom (to an undisclosed value). Blackbaud then received assurances from the cybercriminal that the data had been destroyed. Although the College cannot defend the actions of Blackbaud in paying the demand, we understand that based on the nature of the incident and third party (including law enforcement) investigation, there is no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What is the College doing about the situation?
Upon receiving notification from Blackbaud about the breach, we launched our own investigation and have taken the following steps.
- we have informed the Information Commissioner’s Office (ICO) of the breach;
- we are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security;
- we have notified parties we believe are impacted so that they can remain vigilant;
- we have posted this statement on our website to increase awareness and encourage vigilance.
What do I need to do now?
We do not currently believe there to be a significant risk to you, nor any need for you to take any action at this time.
As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
If you would like to contact a member of the Goodenough College team, please email firstname.lastname@example.org where you will receive a response on weekdays from 9am to 5pm.
We will continue to investigate this matter with Blackbaud. The College will reconsider its ongoing relationship with Blackbaud given its response to this event in light of College policies and values. Furthermore, we will continue to liaise with and be advised by our GDPR Officer (Director of Operations).