Blackbaud data security incident

Published:

Share:

Message to alumni and supporters

On Thursday, 16 July, one of our third-party service providers, Blackbaud, informed us of a data security incident involving a system used to store University personal data. They have provided assurances that the incident has been fully contained and that the data is secure.

As we previously used the system to communicate with alumni and supporters we are writing to let you know that this has happened. Please rest assured, however, that you do not need to take any action at this time. 

Blackbaud is one of the world’s largest providers of customer relationship management systems, servicing thousands of higher education institutions and third sector organisations. 

Up until January 2019, we contracted with Blackbaud to provide a platform that enabled alumni to sign into the portal on our website. 

Blackbaud informed us last week that in May, they discovered and stopped a ransomware attack on their systems, but that some data was compromised. 

Blackbaud have told us that in our case, they still held a back-up of the platform we previously used, and that data from this legacy platform has been affected in the incident. They have confirmed that they have now destroyed that back-up dataset. This incident did not involve any University personal data in the Blackbaud systems that we currently use to communicate with alumni and supporters.

The company assures us that data compromised in the incident did not contain any usernames, passwords, bank account or credit card information. However, the names and email addresses of our alumni and supporters were held on the back-up legacy system affected, and there is a possibility that it also contained transaction details for event registration and online donations.

Blackbaud paid a ransom to the cybercriminal and received assurances that the stolen data was destroyed and not used or sold on to third parties. Blackbaud says that based on the nature of the incident, its research, and investigation by law enforcement and cybersecurity experts, they have no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.

We are sorry for any distress or concern caused by this incident and would like to take this opportunity to reassure you that all data currently held is secure and safe. 

You do not need to do anything at this time – but please be on the lookout for any unusual emails. Remember that we will never ask you for your password or other personal details by email. Do also visit the National Cyber Security Centre for advice about staying safe online.

Don’t hesitate to get in touch if we can provide support or reassurance. 

We continue to work closely with Blackbaud to verify that all our data remains secure and are also seeking an explanation for the delay in Blackbaud informing us, and our peers in the sector, of this issue.

Here you can read further details from Blackbaud about the incident.

We take our role as Data Controller very seriously and as a precautionary measure, have reported this to the Information Commissioner’s Office. 

Our privacy notice details how we use your data, how we keep it safe and how to opt out of data processing activities. You can also change your communication preferences at any time.

If you have any questions or concerns about this matter, or would just like technical support or reassurance, please contact our alumni team at watt.club@hw.ac.uk or our data protection team at dataprotection@hw.ac.uk  

Ruth Moir, 
Acting Secretary

Heriot-Watt University