You may have read in the news about a data breach experienced by Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software. Hughes Hall is a client and we have used them for over a decade.
We regret that we have been informed by Blackbaud that a segment of our records has been affected by this cyber-criminal attack. Blackbaud has provided us with assurances that “based on the nature of the incident, our research and third-party (and law enforcement) investigations, we have no reason to believe that any data went beyond the cyber-criminal, was or will be misused or made available publicly” but we are also conducting our own thorough investigation and seeking advice from Cambridge University’s Office for Intercollegiate Services and the Information Commissioner’s Office.
The college has a robust commitment to good data management practices and we have been very disappointed to learn about this problem from our service provider. Please be assured that we are working with Blackbaud to fully investigate this matter and we are contacting affected individuals directly.
On 16 July we were contacted by our third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for the Higher Education sector. We use their system to record engagement with members of our community, including alumni, fellows, students and supporters.
Blackbaud informed us that they had discovered and stopped a ransomware attack in May 2020 and that the cyber-criminal was able to remove a copy of a subset of data from a number of their clients, including other UK universities and colleges. Having undertaken a thorough review of the information shared with us by Blackbaud, it is clear that for Hughes Hall the data breach involved only a segment of our records that were processed through an area of our system called NetCommunity.
We would like to reassure our community that:
- The cyber-criminal did not gain access to bank account information or passwords because these were encrypted.
- A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts.
- There is no reason to believe that any data went beyond the cyber-criminal, was or will be misused or made available publicly.
- Blackbaud have identified the vulnerability associated with this incident and have confirmed through testing by multiple third parties that the fix withstands all known attack tactics.
What information was involved
The data compromised was a legacy back-up file from an area of our system called NetCommunity that we ceased using in early 2019. This system was used to process e-mailings; online transactions including event registrations, donation payments and profile updates; and also hosted the Hughes-Hub members’ area for which some individuals had accounts.
In most cases the information involved will have been limited to name and email address only, but in a small number of cases it may also include:
- Basic Details (e.g. Gender, Date of Birth)
- Contact Details (e.g. Address, Telephone Number)
- Engagement Details (e.g. Event Attendance, Donation History)
- Professional and Education Details (e.g. Employer, Course Subject)
What we are doing
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud paid the ransom demand and received assurances from the cybercriminal that the data was destroyed.
In addition, on notification of the incident we immediately launched our own investigation and have taken the following steps:
- We are notifying affected individuals so that they are aware of this breach to Blackbaud’s system and can remain vigilant.
- We have informed the University of Cambridge’s Office for Intercollegiate Services and the Information Commissioner’s Office (ICO) has been notified of Blackbaud’s breach.
- We are working with Blackbaud to confirm why there was a delay between them finding the breach and notifying us; why this historic data was still being hosted on their system; and what actions they have taken to permanently remove this inactive data and to increase their security.
- We will be reviewing the third-party services we engage to provide our relationship management system so that we, and our members, can be confident in the safety and security of our data going forward.
What you can do
There is no need for our community to take any action at this time, however as best practice we recommend that people remain vigilant and promptly report any suspicious activity or suspected identity theft to law enforcement authorities.
You will hear from us directly if we believe that any of your data was involved.