Update on Blackbaud
More information about the Data Protection Act and the University.
Update about Blackbaud (2 October 2020)
You may have seen reports in the media this week with further updates about the Blackbaud data breach. The reports say that further investigations by Blackbaud have revealed a subset of their customers had been further impacted by the ransomware attack, with some financial data of some of those organisations being affected.
We want to assure you that the University of Northampton has received written confirmation from Blackbaud stating we are not one of the organisations affected.
What happened? (Summer 2020 response)
On 16 July 2020 the University of Northampton (UON) learned of a widescale breach of data security at a third-party supplier responsible for storage of records relating to alumni, supporter relationships and fundraising.
Blackbaud, which provides customer relationship management (CRM) systems to a number of universities and charities – informed UON that the company had been the victim of a ransomware attack between February and May 2020.
As part of the attack, criminals were able to steal data from a large number of Blackbaud clients. This included a subset of University of Northampton data that records engagement with our alumni, donors and supporters. However, Blackbaud has said the data did not include bank account, payment card details or any passwords.
The data accessed by the criminal may have contained some of the following information:
- Basic details e.g. name, title, gender, date of birth
- The last known addresses, telephone contact details and email details that the individual provided
- Details of courses and the year an individual graduated (alumni only).
- Contact details of donors and supporters and a record of donations given and claimed back gift aid from HMRC. However, we do not keep any associated financial details on the affected system.
Blackbaud have stated that the intention of the attack was to disrupt business operations, rather than an intent to gain and sell the data. However, it is monitoring the situation.
How many people have been affected?
Blackbaud has not confirmed the scale of the breach across its customer base, but reports indicate more than 150 of its clients – mostly universities and charities – have been affected.
As a precaution the University is working to contact individuals to advise them of the situation.
Why does the University of Northampton need my personal details?
The Information retained on this database has been used to fulfil our legal responsibilities as a University and comply with legislation related to fundraising and reporting to the Higher Education Statistics Agency (HESA).
The information forms a database of alumni, donors, and supporters who have allowed us to contact them to supply updates and important messages regarding University activity that may interest them.
Additionally, we also keep a database of those who have requested that we do not contact them so that they can be excluded from communication. However, in these unique circumstances we are also, where possible, contacting people who have requested exclusion in order to inform them of the breach at the third-party supplier.
The University was in the process of moving away from the Blackbaud product to a new supplier at the time of the breach.
The University is undergoing a CRM project, we accelerated our plans to move away from the Blackbaud product, to a new supplier.
What steps have you taken?
- We are notifying potentially affected parties as a precaution
- We have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance
- We are scrutinising the actions of Blackbaud ahead of and after they learned of the breach
- We have taken the decision to cease operation with Blackbaud and are seeking a new CRM supplier
- We are reviewing contracts and reviewing a new CRM provider.
- We are liaising with other organisations and universities that have been victims of the breach.
Should I be worried?
The University of Northampton takes data protection very seriously and – while the breach was at a supplier and not at the University – we are sorry for the inconvenience and worry that this may cause.
There is no need to take any action at this time. As best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the police.
To help give you some reassurance, you could update your passwords and consider reviewing what information is shared publicly, such as Facebook or LinkedIn to help reduce the number of phishing emails or contact you could receive from people as a result of this incident.
You could also consider registering to www.haveibeenpwnd.com – this is a free tool that checks and can notify if your email account details are compromised in a breach, not only in this circumstance but should any other parties you are registered to also have a breach.
What should people look out for?
We will not be conducting any further fundraising campaigns until at least December 2020. Any requests for donations requested by someone claiming to be from the University before this time should be treated with suspicion.
We recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the police.
We have created a dedicated email address for people to send us their concerns: firstname.lastname@example.org.
Is it common to use third-parties to store data about people?
Use of such suppliers is common practice across all sectors including education. The University’s use of such companies is based on legal assurances from the supplier and their agreement to fully comply with the General Data Protection Regulation 2016 and the UK Data Protection Act 2018. The University does not enter into agreements without such assurances and checks undertaken as part of our procurement process.
In this instance however, a breach has occurred with Blackbaud and an investigation is now being carried out to determine how their security was overcome.
Suppliers who suffer a personal data breach are required to inform us within 72 hours. In this instance the supplier did not do so – however the University has taken immediate steps as soon as we were informed by Blackbaud of the breach.
If I ask you to delete some/all of my personal data, could you still verify to a current or future employer of my degree certification, or re-issue a degree certificate?
Your rights in this area are set out in the following document.
In brief, we would do as much as we possibly could to comply with your wishes but there will be some information we must retain, such as the years you studied with us and the award you were given.
Only one system, Blackbaud, has been affected by this issue and this has no impact on information held elsewhere in the University.
Will I receive nuisance phone calls and junk email?
At the time of writing it is not believed the data stolen has been sold.
Have you requested to hold my data?
What we process in terms of personal data is described by the University Privacy Policies.
The main text is the University web privacy statement and there are links to other specific statements at the bottom of the page.
Will there be further updates?
To prevent the additional processing of large amounts of personal data we will not contact you further on this issue unless you have asked us to carry out a specific action or emailed us with an additional question.
Your rights in this area are set out via the following document.
Are you confident that your other data systems have not been hacked?
The University is increasing the monitoring the systems we run, and those run by our third-party suppliers, however at this time the breach at Blackbaud is unique.
Do those affected have a right to compensation?
GDPR gives people a right to claim compensation from any organisation if you have suffered substantial damage as a result of it breaking data protection law. This includes both provable material damage (if you have lost money) or provable non-material damage (if you have suffered substantial distress). You can also take your concerns with how your data has been processed to the Information Commissioners Office (ICO). For further guidance, we advise those affected to contact email@example.com or refer to the ICO website.