Blackbaud Data Security Incident
We were notified by Blackbaud, a company that provides the Ridgewater College Foundation with data management and software services, that they had experienced a data security incident. You may have already received a notification about this incident from other nonprofits you support, as Blackbaud’s fundraising and database services are used by thousands of nonprofit organizations worldwide and 15 of the 37 institutions of higher education in the Minnesota State System.
What’s Important to Know
Blackbaud was the target of a ransomware attack sometime between February 7, 2020, and intermittently until May 20, 2020. The hackers attempted to disrupt business by locking users out of their own data and in the process, accessed personally identifying information about Blackbaud’s nonprofit clients, including those of the Ridgewater College Foundation. Blackbaud informed us of the breach on July 16, 2020.
After discovering the attack in May 2020, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement—retrieved the stolen data and successfully prevented the cybercriminal from blocking their system access and fully encrypting files, and ultimately expelled them from the system.
The Minnesota State system IT and legal team launched an independent investigation on July 16 and sent us their confirmation of Blackbaud’s findings. We took the time to verify Blackbaud’s findings through the independent investigation before sending this message to our supporters.
What Information Was Involved
Blackbaud has confirmed that the investigation found no encrypted information, such as social security number, password, or any credit card information, was accessible. Therefore, any social security numbers, credit card or bank account information on file were not part of the incident. However, it is possible that contact information for some individuals may have been compromised. The information obtained by the intruders could include: name, address, phone number, email address, and if applicable, date of birth.
Blackbaud believes they have addressed this incident and are taking steps to ensure its security system is not compromised again. A full description of the incident is available on the Blackbaud site at: https://www.blackbaud.com/securityincident.
What We Are Doing
We immediately launched our own investigation and have taken the following steps:
- We are notifying affected constituents to make them aware of this breach of Blackbaud’s systems so they can remain vigilant;
- We are taking steps to learn how many other parties in the higher education and the wider not-for-profit sector have been affected.
We very much regret any inconvenience this incident may have caused. We take data security very seriously, along with the trust you place in us. We are confident in the Ridgewater College Foundation’s internal data security and privacy practices and will continue to work with Blackbaud to ensure your privacy and security is not compromised.
What You Can Do
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities such as the Federal Trade Commission, and the Office of the Minnesota State Attorney General.
If you would like more information about the breach, please go to http://www.blackbaud.com/securityincident. You can also speak to someone at Blackbaud about the breach by calling 855-907-2099.
If you have questions, concerns or would like speak further about this incident please contact Kelly Magnuson, Vice President of Advancement & Outreach / Foundation Executive Director for Ridgewater College, via email at [email protected].