Blackbaud Data Breach - Magdalene
Members may have seen in the press, that Blackbaud, the industry-leading provider of software for non-profits, suffered a ransomware attack and data breach earlier this year. We are sorry to say that a historic backup copy of a Blackbaud product called Netcommunity containing some alumni records may have been affected by this breach, and thus some of our Members data may have been involved. Although we are not directly responsible for the breach or its handling, we would like to apologise for any concern this may cause. We were only informed by Blackbaud of this earlier this week as we have not used the product since 2018 and our possible involvement transpired belatedly. We have been undertaking an internal investigation into the likely impact since Monday and are still trying to identify the parameters of data which may have been involved. In the meantime, please be reassured that no financially sensitive data has been compromised.
What happened?
Like most universities and colleges, Magdalene uses a third-party provider, Blackbaud, to manage its alumni records. In accordance with GDPR, our data is held in a secure EU data centre, using Microsoft Azure, and accessed through the cloud using dual-factor authentication. This data was unaffected by the breach.
In May, Blackbaud was subject to a significant cyber attack. Although largely thwarted, a portion of data was stolen from its facilities in the US, and ransomed. Blackbaud paid the ransom, and – working with the FBI – is confident that all data removed during the attack has been destroyed. While our live database in the EU was unaffected, it appears that Blackbaud has erroneously retained an historic Magdalene backup (likely from 2017/ 2018), which was involved in the breach.
What do you need to do?
Blackbaud has reassured all those involved in the breach that data from the attack has been destroyed and is not in circulation, and no action is required by Members. Please be reassured that any financially sensitive data involved in the breach was encrypted and that Magdalene does not store any credit card information on our systems.
The regulator advises that contacting data subjects should only occur where there is significant risk to the individual: in this case, we do not believe that there is risk, but we felt that the public interest in the Blackbaud breach and high profile in the media meant that we should keep you informed and offer reassurance. As ever, please be cautious if you are contacted by anyone requesting financial information or requests for payment.
What is Magdalene doing?
We take the security of our Members data very seriously, and as such have invested significantly in storing our alumni data both within the EU and the Microsoft Azure environment. The possible breach of Magdalene’s database seems to have occurred because Blackbaud – in contravention of our agreement – failed to delete historic backup files. While we are confident that our current data storage is fit for purpose, we continue to press Blackbaud for reassurance that their data protection practices have been fully updated to meet our requirements, including the requirement to bring such matters to the attention of their clients as soon as any breach occurs.
If you have any questions regarding the above, please get in touch at development@magd.cam.ac.uk