Skip to main content Skip to footer
Text Hero Banner Skip text hero banner

Our data protection statement explains how the Development Office of St John’s College, Cambridge handles and uses the personal data we collect about Johnians and our supporters – whether donors, volunteers or participants in membership groups, eg the Beaufort Society. We are committed to protecting your personal information and being transparent about the information we hold. Our privacy policy and cookies notice sets out how your data is processed across this website.

You have a right to object at any time to the Development Office processing your personal data for any or all of the purposes set out in our data protection statement and privacy policy and cookies notice. To request a copy of either via email, please contact privacy.development@joh.cam.ac.uk.

You can write to the Development Office on development@joh.cam.ac.uk with any enquiries or requests to change your communication preferences.


Blackbaud data breach

It was recently brought to our attention that St John’s was one of a number of organisations from around the world affected by a data breach at Blackbaud. Like a number of other higher education institutions in the UK and around the world, we use Blackbaud’s products to help us record and manage engagement with alumni and supporters of the College. In the College’s case the incident would appear to have a minimal to no likelihood of harm and there is no need for alumni and friends to take any action.

What happened?

On 16 July we were contacted by Blackbaud, our third-party service provider to inform us they had been a victim of a ransomware attack in May 2020. With the help of independent forensics experts and US law enforcement, they were able to stop the ransomware attack and successfully prevented further misuse of their data. Prior to Blackbaud blocking the attack, a copy of a subset of data from a number of their clients was removed, which included some St John’s College data. The breach involved data that is processed through part of our website called NetCommunity, which is used to record some interactions with our community. Our digital networking platform Johnian Hub is unaffected by this incident.

We would like to assure you that:

• The cyber-criminal did not gain access to bank account details, credit card information, usernames, passwords or login details as this data is encrypted.
• A detailed forensic investigation was undertaken on behalf of Blackbaud, by law enforcement and third-party cyber security experts.
• We have received confirmation from Blackbaud that there have been no reported incidents involving the misuse of affected data and that there is no reason to believe that any data went beyond the cyber-criminal.
• Blackbaud has identified the vulnerability associated with this incident and have confirmed through testing that the fix withstands all known attack tactics.
• Blackbaud have reported the breach to the Information Commissioner’s Office (ICO).
• St John’s College has also reported the breach to the ICO.

What information is involved?

The copy of a subset of back-up data included names, matriculation year, contact details (emails, addresses, phone numbers), employer name, event booking information and online donation data (excluding bank account information and credit/debit card information).

How did Blackbaud respond?

To protect customers’ data and mitigate potential identity theft, Blackbaud met the ransomware demand in relation to this file. Blackbaud has advised us that, having paid the ransom, it received assurances that this data had been destroyed, and since then there has been no indication that this data remains in circulation. Read more about Blackbaud’s own account of the attack and its response at
https://www.blackbaud.co.uk/newsroom/news-archives/2020/07/16/learn-more-about-the-ransomware-attack-we-recently-stopped

What action have we taken?

We take our data protection responsibilities very seriously and have embarked on our own detailed investigation with the support of the University of Cambridge’s Office for Intercollegiate Services Data Protection Officer and the Information Commissioner’s Office. While Blackbaud is confident that the copy of the data file has been destroyed we have taken the following steps:

• We have informed the University of Cambridge’s Office for Intercollegiate Services and we have notified the Information Commissioner’s Office (ICO) of the breach and await further guidance.
• We will continue to work with Blackbaud to clarify exactly the full extent of any possible risk to data.
• We are working with Blackbaud to understand the detail of the security enhancements they have already put in place or are planning, in order to minimise the risk of any recurrence. Please read about Blackbaud’s online security for more information.
• We will be reviewing our relationship with Blackbaud as the online security of our community is of paramount concern.

What do you need to do?

We do not believe this poses a significant risk to individuals connected to St John’s and there is no need for you to take any action at this time. As best practice, we recommend that you remain vigilant and promptly report any potential misuse of your data to the proper law enforcement authorities. We are continuing to work with Blackbaud and the ICO to investigate this matter and will update this document accordingly.

Please view our privacy and data protection statements for more information on our relevant policies.

We are disappointed that this has happened and wish to assure you of our commitment to protecting your data. If you have any concerns, please contact us at privacy.development@joh.cam.ac.uk.