Blackbaud data breach

We learned recently that Trinity Hall was one of a number of educational and voluntary sector organisations in Cambridge, the UK and across the world to have been affected by a data breach at the US company Blackbaud. Blackbaud are one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.

We take our data protection responsibilities very seriously and have launched our own investigation. Based on what we know so far, we do not believe there to be a significant risk to constituents – nor any need for our constituents to take any action at this time. We continue to work with Blackbaud to clarify exactly the full extent of any possible risk.

What happened?

On 16th July, Blackbaud informed us of a data security incident: they had been the victim of a ransomware attack between 7th February and 20th May 2020. With the help of independent forensics experts and US law enforcement, they were able to stop the ransomware attack and believe they have successfully prevented further misuse of their data. Nevertheless, a copy of a subset of data from a number of their clients was removed. This included a subset of Trinity Hall data from a product known as Netcommunity, which we previously used for our alumni community THalumni.net, and which we now use for emails and online transactions.

In order to protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand. Blackbaud provided us with assurances that “based on the nature of the incident, our research and third-party (and law enforcement) investigations, we have no reason to believe that any data went beyond the cyber-criminal, was or will be misused or made available publicly.” US law enforcement and third-party cyber security experts have undertaken a detailed forensic investigation on behalf of Blackbaud. We are also conducting our own investigation and seeking advice from the Data Protection Officer for the Cambridge Colleges at the University’s Office for Intercollegiate Services and the Information Commissioner’s Office.

There have been no reported incidents involving the misuse of any affected data.

What information was involved?

Blackbaud have confirmed that their investigation found that:

  • no encrypted information, such as bank account or passwords, was accessible
  • no credit card information formed part of the data theft

The Netcommunity system is used to process online transactions including event registrations, donation payments and profile updates. The information involved will vary on a case-by-case basis depending on the transaction and/or online profile, but may include:

  • Personal details such as name and date of birth
  • Contact details such postal addresses, email addresses and telephone numbers
  • Details of educational records such as the qualification(s) you received from Cambridge, year of matriculation and graduation
  • Membership of student societies or sports clubs
  • Business details including job title and employer name
  • Other details that might have been shared including current interests and news

What are we doing about the situation?

Ensuring the safety of our constituents’ data is of the utmost importance to us. Whilst Blackbaud is confident that the copy of the data file has been destroyed, we have taken a number of steps following our own investigation and as a result of direct communication with Blackbaud:

  • We are taking the precautionary step of writing to everybody who may have received an email though the Netcommunity system, used an online form or had a historic profile.
  • We informed the ICO on 16th July that we were affected and we are keeping them updated on the results of our investigations.
  • We have submitted an incident report to the Charity Commission.
  • We have informed the Office of Inter-collegiate services at the University of Cambridge.
  • We are working with Blackbaud to understand the detail of the security enhancements they have put in place or are planned in order to minimise the risk of recurrence.

What action has Blackbaud taken?

Blackbaud reported the breach to the Information Commissioner’s Office (ICO) and they have implemented several changes that will protect data from any subsequent incidents. Blackbaud were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. They have confirmed through testing by multiple third parties, that the fix withstands all known attack tactics. They have also made enhancements to access management and network segmentation.

Blackbaud has advised that they did not notify us sooner because they needed to defend against the attack and conduct the subsequent investigation; then take measures to address the issue that led to the incident and prepare resources for customers.

What action do individuals need to take?

At present, we do not believe there to be a significant risk to constituents – nor any need for our constituents to take any action at this time. As best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

For information on staying safe online see:

www.ncsc.gov.uk/guidance/suspicious-email-actions

www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online

Please be assured that Trinity Hall takes data protection of our members very seriously. You can read our data protection policy here. We are sorry for any concern this may cause our members and supporters. We are continuing to work with Blackbaud to investigate this matter and will keep this statement updated.

If you have any questions about our response or are concerned, please contact the Alumni & Development Office on development.director@trinhall.cam.ac.uk

Edit 3 August: Updated ‘What are we doing about the situation?’ to include date ICO was informed and to confirm Charity Commission incident report has been submitted