Dear CCAD Community,
We are writing to let you know about a data security incident at an outside vendor that may have involved some of your personal information. CCAD’s Development Department has a contractual relationship with Blackbaud, a widely used software service provider for engagement and fundraising offices in higher education and nonprofits. Blackbaud recently experienced a ransomware attack and has informed us that CCAD is among the affected institutions. Blackbaud has more than 35,000 clients around the world. While it appears that no personal identification information was made public, we believe we have an ethical responsibility to notify you of this incident and to keep you updated with additional information as it becomes available. Please be assured that CCAD does not store credit card, banking information, or social security numbers in the Blackbaud environment, and therefore those data were not involved in the incident.
CCAD was notified by Blackbaud of the incident on July 16 and received additional information from the company on July 17. At this time, we understand from Blackbaud that there was an attempted “ransomware” incursion into their systems beginning on February 7 and continuing until May 20. Prior to being locked out, the cybercriminal reportedly removed a copy of some Blackbaud customer backup files that may have contained personal information (other than credit card, bank account, and social security numbers). Blackbaud reports that, after discovering the attack, their Cyber Security team—together with independent forensics experts and law enforcement—successfully blocked the cybercriminal from encrypting files making them inaccessible, and that they prevented the files from being disseminated. According to Blackbaud, the company paid a ransom for confirmation that the backup file was permanently destroyed. More information about the incident can be found here.
What Information Was Involved
As noted above: the cybercriminal did not access your credit card, banking information, or social security number because CCAD does not store that data in the Blackbaud databases. However, Blackbaud has ascertained that the compromised files may have included constituents’ demographics, their degree information, CCAD affiliations, and other data internal to CCAD’s fundraising and engagement activities, such as event participation, notes from meetings, donor prospect ratings, and philanthropic giving history.
Based on the nature of the incident, their research, and third-party (including law enforcement) investigation, Blackbaud states that it has no reason to believe that any data went beyond the cybercriminal, was misused, or will be disseminated or otherwise made available publicly. Nevertheless, the company has hired a third-party security service to monitor for such activity indefinitely.
Blackbaud’s Remediation Efforts
As part of its ongoing efforts to help prevent something like this from happening in the future, Blackbaud has affirmed to CCAD that it has already implemented changes to protect its system from any subsequent incidents: They have identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and taken actions to fix it. They have also confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, they are accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms.
What You Can Do
Although there is currently no evidence that your personal information has been misused, we recommend that you remain vigilant and immediately report to law enforcement authorities any suspicious activity or suspected identity theft. We sincerely apologize for this incident and regret any inconvenience it may cause you. We deeply value your relationship with CCAD and will continue to be vigilant in our work to ensure the protection of your personal information.
If you have any immediate concerns or questions, please contact us at firstname.lastname@example.org.
CCAD Chief Information Officer
CCAD Associate Vice President for Development