The information below relates to a data security incident experienced by Blackbaud, a third-party service provider to the University of Strathclyde. We believe this incident also involves a significant number of UK and US healthcare, educational and not-for-profit organisations, as well as University of Strathclyde data.
We take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are provided below, including the steps we have taken in response.
On 16 July we were contacted by Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack between February and May 2020. Whilst they ultimately managed to lock the cybercriminal out of their systems, prior to this, the cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included University of Strathclyde data.
We use the system Blackbaud provides to record engagement with alumni, donors, potential donors, event attendees, and friends of the University. Based on the information provided to us by Blackbaud, we are sharing details of this breach of their systems with members of our community, whom we believe may have been affected.
What information was involved?
We would like to reassure our community that:
- a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts; and
- Blackbaud have confirmed that the investigation found that no encrypted information, such as credit card information, bank account details or passwords, was accessible;
The data accessed by the cybercriminal may have contained some of the following information:
- basic details e.g. name, title, gender, date of birth and student number (if applicable);
- addresses and contact details e.g. phone, email;
- course and educational attainment details, e.g. what qualification you received and some of the extracurricular opportunities you participated in while studying at Strathclyde (if applicable);
- a record of your engagement with alumni and fundraising activities e.g. enquiries, event participation, volunteering, donations, and any other interactions you have with us;
- professional details, e.g. the profession you work in and your employer; and
- information about your interests you have provided to us e.g. in response to one of our surveys.
What are we doing about the situation?
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed.
However, we have immediately launched our own investigation and have taken the following steps:
- whilst we do not believe there is any specific risk to you as a result of this breach, we are notifying you so that you are aware and can remain vigilant;
- we have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance;
- we are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected; and
- we are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.
There is no need for you to take any specific action at this time. However, to reflect best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.
If anyone would like to contact a member of the University of Strathclyde team, please contact email@example.com where you will receive a response on weekdays from 9am to 5pm.
We will continue to work with Blackbaud to investigate this matter and to discuss our future engagement with them. We will continue to liaise with and be advised by our Data Protection Officer and Cyber Security team. We greatly regret that this incident occurred and sincerely apologise for any inconvenience that this data breach by Blackbaud may cause.
Please be assured that we take data protection very seriously and we are grateful for your continued support and engagement.