Frequently Asked Questions to the May 2020 Blackbaud Data Breach
Why did I get a message from Santa Clara?
Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified Santa Clara University that it had experienced a ransomware attack in May 2020 that may have involved limited personal information about some SCU alumni, parents, friends, and donors.
Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected by this attack. Blackbaud provides Santa Clara’s fundraising technology platform, and is a respected provider of cloud and data services used by more than 25,000 organizations in more than 60 countries. (Read Blackbaud’s statement about the incident.)
The Blackbaud data breach was limited to SCU’s alumni and development database and did not affect other SCU databases containing general financial, student, or employee information. SCU’s cybersecurity is robust – it is safe to use your SCU email, and the University website for online giving or other transactions.
We are sharing additional information here as part of our commitment to accountability and transparency. The University takes our data protection responsibilities very seriously. We greatly value your support of Santa Clara University, respect your privacy, and work hard to keep your trust. If you would like to receive additional information about Blackbaud’s data breach as Santa Clara continues our investigation, please contact Jeff Beachy, Assistant Vice President of Advancement Services, at firstname.lastname@example.org.
What information was involved in this data breach?
We would like to reassure you that a detailed forensic investigation was undertaken by law enforcement and third-party cybersecurity experts on behalf of Blackbaud. Santa Clara does not store credit card, bank account, or social security data in our fundraising database, and Blackbaud further confirmed that the ransomware attack did not access any database usernames or passwords.
However, Blackbaud determined that contact information, including telephone number, email address, and/or mailing address; a history of donor relationships with Santa Clara University to that point, such as donation dates and amount; and in some cases, dates of birth may have been accessed in the ransomware attack. SCU has requested and is investigating the breached data to independently confirm its scope.
Based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud does not believe any data went beyond the ransomware attack, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud and third parties, including law enforcement, have been monitoring the dark web and found no instances of such data being released.
What is Santa Clara University doing in response?
SCU immediately launched our own investigation and has taken the following steps:
- We notified potentially affected parties to make you aware of this breach of Blackbaud’s systems so you can remain vigilant;
- We are working with Blackbaud to independently review a copy of the breached data; understand why there was a delay between finding the breach and notifying SCU; and what actions Blackbaud is taking to increase its security, monitor potential identity threats as a result of this breach, and ensure the highest levels of privacy;
- We will assess SCU’s ongoing business relationship with Blackbaud based on their responsiveness to our investigation as well as their continued enhancements to cybersecurity and privacy protection;
- We are taking steps to learn how many other parties in the higher education and the wider not-for-profit sector have been affected;
- As part of the University's comprehensive cybersecurity strategy and in response to this third-party data breach, we will be performing an independent security audit of our alumni and development systems used by University Relations, consistent with our policies and commitment to maintain the highest levels of due diligence related to data security and privacy;
- You can also read our statement on donor privacy and confidentiality contained in SCU’s Gift Acceptance Guidelines.
- SCU also requires mandatory annual cybersecurity awareness training for all faculty, staff, and other employees. SCU’s technology policies and standards are available here.
- We do not believe there is a need for our constituents to take any action at this time. As a best practice, we recommend that you promptly report any suspicious activity or suspected identity theft to the proper authorities.
What is Blackbaud doing?
As part of ongoing efforts, Blackbaud has already implemented several changes to protect your data from any subsequent incidents. Its teams identified the vulnerability associated with this incident and took action to fix it. Blackbaud has tested its fix with multiple third parties, including the appropriate platform vendors, and assured Santa Clara University that it withstands all known attack tactics.
What steps can you take?
Santa Clara does not store credit card, bank account, or social security data in our fundraising database hosted by Blackbaud. Additionally, Blackbaud has assured us that none of our fundraising database passwords or usernames were compromised. However, as a best practice, we recommend that you remain vigilant by reviewing your account statements and credit reports closely and reporting any suspicious activities.
You can obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months by visiting http://www.annualcreditreport.com, calling toll-free 877-322-8228, or completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348.
If you detect any suspicious activity, promptly notify the financial institution or company where the account is maintained. You also should report any fraudulent activity or suspected incidence of identity theft to law enforcement authorities, your state attorney general, and/or the Federal Trade Commission.
To file a complaint with the FTC, go to www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338). The Federal Trade Commission offers tips on how to avoid identity theft. For more information, please visit http://www.ftc.gov/idtheft or call 1-877-ID-THEFT (877-438-4338).
Why did Blackbaud wait to notify SCU?
We are seeking additional information from Blackbaud. From preliminary indications, Blackbaud’s first priority was to contain and stop the ransomware attack that was first detected in mid-May 2020. The company then focused on the extent of the damage to the system and to data through its own internal assessments, and a third-party forensic assessor provided an official report in June. By early July, Blackbaud developed enough certainty on information exposed and customers affected that it could work toward notifications. Customer notifications were made later in July.
Our Commitment To You
While data breaches and ransomware attacks are unfortunately becoming more common, this is not something Santa Clara ever wants to happen to our valued supporters. Your privacy is of utmost importance to us. We will continue to work with Blackbaud and authorities to investigate this incident, and very much regret the inconvenience that this data breach may have caused. Please be assured that we take data protection very seriously and are grateful for the continued support of our alumni, parents, and friends.
If you have any questions or concerns regarding this matter, please do not hesitate to contact Jeff Beachy, Assistant Vice President of Advancement Services, at email@example.com or (408) 554-5360.