Selwyn College, Cambridge  [MENU]

 Facebook 48Twitter bird 48Flcikr 48Linkedin 48

Blackbaud data breach

We recently learned that Selwyn was one of a number of educational and voluntary sector organisations in Cambridge, the UK and across the world to have been affected by a data breach at the US company Blackbaud. Blackbaud provide cloud software and services and are one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.
We take our data protection responsibilities very seriously and as soon as we heard about the incident, we immediately launched our own investigation.

What happened?
On 16th July, Blackbaud informed us of a data security incident. Like a number of other higher education institutions in the UK and around the world, we use Blackbaud’s products to help us record and manage engagement with alumni and supporters of the college. Blackbaud told us and its other clients worldwide that they had been the victim of a ransomware attack between February and May 2020. With the help of independent forensics experts and US law enforcement, they were able to stop the ransomware attack and successfully prevented further misuse of their data. Nevertheless, a copy of a subset of data from a number of their clients was removed, which included some Selwyn College data.

In order to protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand in relation to this file. Blackbaud has advised us that having paid the ransom it received assurances that this data had been destroyed and since then there has been no indication that this data remains in circulation. You can read more about Blackbaud’s own account of the attack and their response at
https://www.blackbaud.co.uk/newsroom/news-archives/2020/07/16/learn-more-about-the-ransomware-attack-we-recently-stopped

What information was involved?
We would like to reassure you that:
• A detailed forensic investigation was undertaken on behalf of Blackbaud by US law enforcement and third-party cyber security experts
• Blackbaud have confirmed to us that their investigation found that no encrypted information, such as bank account or passwords, was accessible
• Blackbaud also confirmed that no credit card information formed part of the data theft
• There have been no reported incidents involving the misuse of any affected data
• Blackboard have reported the breach to the Information Commissioner’s Office (ICO)

Amongst the information that may been affected were the following:
• Personal details such as name, gender, date of birth
• Contact details such postal addresses, email addresses and telephone numbers
• Details of educational records such as the qualification(s) you received from Cambridge, year of graduation and any interests you had as a student such as members of student societies or sports clubs
• Details of your job title and employer name
• Other details that you might have shared including current interests

We continue to work with Blackbaud to clarify exactly the full extent of any possible risk to your data.

What are we doing about the situation?
Whilst Blackbaud is confident that the copy of the data file has been destroyed, we have taken a number of steps following our own investigation and as a result of direct communication with Blackbaud:
• Unfortunately, because Blackbaud is unable to confirm precisely which individual records have been affected, we are taking the precautionary step of writing to everybody for whom we hold a record.
• We are in the process of informing the Information Commissioner’s Office (ICO) of the breach and will await further guidance
• We are working with Blackbaud to understand the detail of the security enhancements they have already put in place or are planned, in order to minimise the risk of any recurrence.

We do not believe there to be a significant risk to you - nor any need for you to take any action at this time. As best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

We are urgently reviewing our relationship with Blackbaud because online security is clearly a major concern. In the meantime, we are continuing to work with Blackbaud to investigate this matter and will keep this statement updated.

Please be assured that Selwyn takes your data protection very seriously and you can read our data policy here.

If you have any questions about our response, please contact us at alumni-office@sel.cam.ac.uk


This statement was last updated on 24 July 2020

Back to home page

 

 

Snippets from Selwyn...

 

 

 


 

Development & Alumni Office, Selwyn College, Grange Road, Cambridge CB3 9DQ. Tel:  01223 767 844  Email:  alumni-office@sel.cam.ac.uk

Registered charity number: 1137517.    Privacy Policy.   Cookie Policy.