August 4, 2020
Notification of Data Security Incident – 3rd Party Vendor Blackbaud
The Montclair State University Foundation has been notified by Blackbaud, a globally-trusted cloud-based data management provider, that the Foundation and many other non-profit organizations use for financial and fundraising management, that Blackbaud had discovered and stopped a ransomware attack that occurred earlier this year.
The Foundation takes the protection of your information very seriously and values transparency. Therefore, we are writing to let you know what happened and the steps that were taken to remediate any potential impact related to the incident.
On July 16, 2020, Blackbaud representatives informed us of a ransomware attack that occurred at some point beginning February 7, 2020 and culminated in May 2020. The cybercriminal had made attempts but was ultimately unsuccessful in blocking user access to the database involved in the attack. However, the cybercriminal was able to remove a copy of a subset of several clients’ data. This included a backup file that contained personal information in our database.
Blackbaud informed us it engaged outside third-party forensic experts to conduct a detailed forensic investigation, while also working with law enforcement.
What Information Was Involved
Blackbaud has confirmed that the investigation found that the attackers did not access encrypted information, such as Social Security numbers and bank account information or passwords. Blackbaud has also confirmed that no credit or debit card information was part of the data security incident.
However, the Montclair State University Foundation data accessed by the cybercriminal in the Blackbaud database contained some of the following information:
- Personal information such as name, title, date of birth, spouse
- Addresses and contact details such as phone numbers and e-mail addresses
- Philanthropic interests and giving history to Montclair State University Foundation
- Educational degrees
What Blackbaud Is Doing
Blackbaud told us that in order to protect data and mitigate potential identity theft, it paid the cybercriminal’s ransom demand and that it has received assurances from the cybercriminal that the data has been destroyed. Blackbaud’s third-party experts believe that this is true. Blackbaud has also said that it, and its outside experts, are continuing to monitor the web in an effort to verify the data accessed by the cybercriminal has not been disclosed.
What We Are Doing
Montclair State University moved swiftly to launch our own investigation, including engaging outside experts to assist us. As a result of these efforts, the following steps have been taken:
- We are notifying affected constituents to make them aware of this breach of Blackbaud’s systems.
- We are working with Blackbaud to understand why there was a delay between it finding the breach and notifying us.
- We are taking steps to learn what actions Blackbaud is taking to increase internal controls and security.
- We do not believe there is a need for our constituents to take any action at this time. However, as a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.
We will continue to work with Blackbaud to investigate this incident. We regret this has taken place and apologize for any concern this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
For questions related to the security incident, please contact us at 973-655-2020 or firstname.lastname@example.org.