Blackbaud Security Incident
To our alumni and friends:On July 16, 2020, the University of South Dakota Foundation (“USDF”) was among hundreds of institutions notified by Blackbaud, Inc. (“Blackbaud”) of a ransomware attack affecting customer information Blackbaud holds as a service to its largely educational and nonprofit clients.
Blackbaud provides USDF a number of software solutions, including Financial Edge NXT (“FE”) and Raiser’s Edge NXT (“RE”), both popular among nonprofit organizations. FE is a comprehensive cloud-based fund accounting software solution that offers financial statement reporting, general ledger, accounts payable, accounts receivable (pledges), activity tracking, asset management, and bank reconciliation, among other features.
RE is a comprehensive cloud-based fundraising and donor management software solution that houses information generally relevant to USDF’s efforts to manage and track active and prospective donors, including first and last names; mailing addresses; email addresses; dates of birth; spousal information; work information; academic degrees; giving histories; wealth ratings; personal visit summaries; and other demographic and fundraising-related information.
Blackbaud indicated in its July notice that no credit card information, bank account information, or Social Security numbers were part of the security incident. In an effort to hold Blackbaud accountable and further understand the notice, USDF immediately engaged outside counsel to investigate the extent of the incident and its impact, if any, on our community of valued friends, alumni, and vendors. Unfortunately, as these efforts continued, USDF received on September 29, 2020, a second notice from Blackbaud indicating the potential exposure of customer information not previously disclosed.
Since receiving the second notice, USDF has continued its work with outside counsel to better understand the full scope of Blackbaud’s security incident and steps to promote incident awareness among impacted parties. As a result of these efforts, USDF mailed notice letters to a number of friends, alumni, and vendors of record whose personally identifiable information Blackbaud has indicated may have been part of the security incident. This information includes certain dates of birth, Social Security numbers, bank account numbers, and Tax ID numbers mostly associated with historical USDF business transactions rather than donor activity, e.g., expense reimbursements, direct deposits, and vendor payments.
It is important to note that, based on the information USDF has received from Blackbaud, we have no reason to believe that any personal information has been misused as a result of this incident, and Blackbaud has assured us that appropriate measures have been taken to resolve the incident, strengthen the Blackbaud network, and better secure data stored in the Blackbaud environment.
We remain in contact with Blackbaud to promote accountability and to better understand their corrective solutions. We regret any inconvenience this situation may cause. Should you have any further questions or concerns regarding a letter you received, please contact us at 605-624-5709 or firstname.lastname@example.org.
Blackbaud’s July 16, 2020, communication to USDF provides, in part:
“In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attempted attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.
Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment ... Because protecting our customers’ data was our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. In accordance with regulatory requirements and in an abundance of caution, we are notifying all organizations whose data was part of this incident[.]”
Blackbaud maintains it has taken steps to better secure data and has committed resources to monitor for evidence of data exposure, including the hiring of a third-party team of experts to monitor the dark web. To date, Blackbaud has indicated no evidence of misuse. Nonetheless, USDF continues efforts to hold Blackbaud accountable through outside counsel. We remain hopeful that the incident is fully contained and will provide further updates if necessary.
USDF is providing this information for your awareness and as a courtesy supplement to legal notification you may have received, depending on your state of residence. USDF is not requesting any action of you, but encourages as a best practice that individuals remain vigilant, promptly report any suspicious activity or suspected identity theft to proper law enforcement authorities, and take advantage of any credit monitoring services that may be available.