Blackbaud data breach

It was recently brought to our attention that St John’s was one of a number of organisations from around the world affected by a data breach at Blackbaud. Like a number of other higher education institutions in the UK and around the world, we use Blackbaud’s products to help us record and manage engagement with alumni and supporters of the College. In the College’s case the incident would appear to have a minimal to no likelihood of harm and there is no need for alumni and friends to take any action.

What happened?

On 16 July we were contacted by Blackbaud, our third-party service provider to inform us they had been a victim of a ransomware attack in May 2020. With the help of independent forensics experts and US law enforcement, they were able to stop the ransomware attack and successfully prevented further misuse of their data. Prior to Blackbaud blocking the attack, a copy of a subset of data from a number of their clients was removed, which included some St John’s College data. The breach involved data that is processed through part of our website called NetCommunity, which is used to record some interactions with our community. Our digital networking platform Johnian Hub is unaffected by this incident.

We would like to assure you that:

• The cyber-criminal did not gain access to bank account details, credit card information, usernames, passwords or login details as this data is encrypted.
• A detailed forensic investigation was undertaken on behalf of Blackbaud, by law enforcement and third-party cyber security experts.
• We have received confirmation from Blackbaud that there have been no reported incidents involving the misuse of affected data and that there is no reason to believe that any data went beyond the cyber-criminal.
• Blackbaud has identified the vulnerability associated with this incident and have confirmed through testing that the fix withstands all known attack tactics.
• Blackbaud have reported the breach to the Information Commissioner’s Office (ICO).
• St John’s College has also reported the breach to the ICO.

What information is involved?

The copy of a subset of back-up data included names, matriculation year, contact details (emails, addresses, phone numbers), employer name, event booking information and online donation data (excluding bank account information and credit/debit card information).

How did Blackbaud respond?

To protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand in relation to this file. Blackbaud has advised us that, having paid the ransom, it received assurances that this data had been destroyed, and since then there has been no indication that this data remains in circulation. Read more about Blackbaud’s own account of the attack and its response at
https://www.blackbaud.co.uk/newsroom/news-archives/2020/07/16/learn-more-about-the-ransomware-attack-we-recently-stopped

What action have we taken?

We take our data protection responsibilities very seriously and have embarked on our own detailed investigation with the support of the University of Cambridge’s Office for Intercollegiate Services Data Protection Officer and the Information Commissioner’s Office. While Blackbaud is confident that the copy of the data file has been destroyed we have taken the following steps:

• We have informed the University of Cambridge’s Office for Intercollegiate Services and we have notified the Information Commissioner’s Office (ICO) of the breach and await further guidance.
• We will continue to work with Blackbaud to clarify exactly the full extent of any possible risk to data.
• We are working with Blackbaud to understand the detail of the security enhancements they have already put in place or are planning, in order to minimise the risk of any recurrence. Please read about Blackbaud’s online security for more information.
• We will be reviewing our relationship with Blackbaud as the online security of our community is of paramount concern.

What do you need to do?

We do not believe this poses a significant risk to individuals connected to St John’s and there is no need for you to take any action at this time. As best practice, we recommend that you remain vigilant and promptly report any potential misuse of your data to the proper law enforcement authorities. We are continuing to work with Blackbaud and the ICO to investigate this matter and will update this document accordingly.

Please view our privacy and data protection statements for more information on our relevant policies.

We are disappointed that this has happened and wish to assure you of our commitment to protecting your data. If you have any concerns, please contact us at privacy.development@joh.cam.ac.uk.

© 2020 St John's College, Cambridge | Registered Charity Number 1137428