Blackbaud data security incident, July 2020

Updates about the Blackbaud data security incident in July 2020.

Update – November 2020

We have completed a rigorous internal investigation of the University of Leeds data contained within the Blackbaud security breach and are confident that data compromised in this incident was, as previously communicated, comparatively low risk and did not contain any bank account or credit card information.

Blackbaud has communicated to us in detail the steps it has now taken to remediate this incident and additional measures it has put in place to protect against future hacking attacks and ensure that all our data remains secure.

No further action is required by our alumni community, although in line with best practice, we continue to recommend that everyone remains vigilant and only open and respond to emails from a legitimate contact or source. You should never disclose financial information or passwords to anyone over email. We remain on hand should you have any questions or need further reassurance.

We have recently received confirmation from Blackbaud that the University of Leeds was not affected by the latest additional findings relating to payment details, as reported by the media, including the BBC article.

Anyone with further questions or concerns about this matter should contact us at alumni@leeds.ac.uk.

We take data security seriously. Our privacy notice details how we use your data, how we keep it safe and how to opt out of data processing activities. 

You can change your communication preferences at any time.

Update – July 2020

On Thursday 16 July, we were made aware of a security incident involving one of our third-party service providers, Blackbaud.

Blackbaud is one of the world’s largest providers of customer relationship management systems for the higher education and not-for-profit sectors.

It informed us that in May it had discovered and stopped a ransomware attack on its systems, although some data was compromised. A number of  universities using its services have been affected, including the University of Leeds.

The company assures us that data compromised in the incident was comparatively low risk and did not contain any password, bank account or credit card information.

We are continuing to work closely with Blackbaud to determine exactly what personal data was compromised. We understand that other clients of Blackbaud have been affected in different ways, with varying types of data involved. In our case, it appears that names and email addresses for some members of our alumni and supporter community were affected.

Information on the sums given as gifts or event payments through the alumni web portal may also have been affected, although not any bank account or credit card details.

Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to third parties. Blackbaud says that – based on the nature of the incident, its research, and investigation by third parties (including law enforcement) – it has no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.

We understand that this news will cause concern among our alumni and supporters and we are sorry for any distress or inconvenience caused by what is criminal activity against one of our service providers.

To stress again though, no bank account, credit card or password information was affected by the cyberattack.

No action is required by our alumni community at this time, although in line with best practice, we recommend that everyone remains vigilant. Any suspicious activity or suspected identity theft should be reported promptly to the appropriate law enforcement authorities. We are also on hand should you need any technical support or reassurance.

We are continuing to work closely with the company to verify that all our data remains secure and are writing to those affected in our alumni and supporter community to explain what has happened.

We are also seeking an explanation for the delay in Blackbaud informing its clients of this issue.

As a precautionary measure, the Information Commissioner’s Office was sent a preliminary notification about this issue over the weekend.

Blackbaud has set out further details about the incident on their website.

Anyone with questions or concerns about this matter should contact us at alumni@leeds.ac.uk.

We take data security seriously. Our privacy notice details how we use your data, how we keep it safe and how to opt out of data processing activities.