Blackbaud Security Incident

    Friday, August 28, 2020 - 14:00

    Blackbaud Security Incident 

     
    The information below relates to a data security incident with a third-party service provider to Maynooth University. The incident involved data from organisations worldwide, as well as Maynooth University data. 

    We take data security issues extremely seriously at Maynooth, and we want to be transparent about what happened, how the University is responding, and what we’re doing to prevent it from happening again.  

    Upon receiving notice of the incident, we immediately launched an investigation. Details of this are below, including the steps we have taken in response. 

     

    What Happened?  

     
    On 16th July 2020, we received notification of a security incident from a third-party service provider, Blackbaud.  Blackbaud is one of the world’s largest providers of customer relationship management systems for the not-for-profit and education sectors.   
     
    They advised us that they were the victim of a ransomware attack in May 2020. After discovering the attack, Blackbaud’s cybersecurity team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking their system access and fully encrypting files, and ultimately expelled them from the system. However, before being locked out, the cybercriminal removed a copy of a backup file containing personal information including a subset of Maynooth University data.  
     
    Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, their research, and a third party (including law enforcement) investigation, Blackbaud do not believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly and are continuing to monitor this.  
     
    The Maynooth University Development and Alumni Office uses Blackbaud’s system to record engagement with our alumni and our network of supporters. Having investigated this matter, we are now able to notify affected parties. 
     

    What information was involved? 

    We want to advise you that: 
    • A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cybersecurity experts. 
    • Blackbaud has confirmed that the investigation found that no encrypted information, such as credit card, bank account details or passwords, was accessed. 
    Maynooth University data accessed by the attacker may have contained some of the following information: 
    • Basic details and contact information (e.g. name, date of birth, address, email) 
    • Education and professional information (e.g. qualifications received, profession) 
    • Details of engagement with the Development and Alumni Relations Office (e.g. event participation, donations, survey responses).  

    What are we doing about the situation? 

    Blackbaud is accelerating efforts to further harden its environment and address the security gaps identified during the investigation and continues to monitor the situation.  
    On receiving notice from Blackbaud we launched our own investigation and are taking the following steps:  
    • We are notifying affected parties of the Blackbaud security incident. 
    • We have informed the Data Protection Commissioner of the incident. 
    • We have continued to work with Blackbaud to understand the steps they have taken to address this and what actions they will take to increase their security. 
    • We are reviewing our relationship with Blackbaud as a service provider. 
     

    What do you need to do? 

    There is currently no need for you to take any action. We recommend you remain vigilant and report any suspicious activity or identity theft to the proper authorities. 
     
    Please know that we take our data protection responsibilities very seriously. We assure you that we will continue to do everything we can to ensure the safety of your data. We will continue to work with Blackbaud to investigate this matter and take the advice from our Data Protection Officer and Information security team. 
     

    For more information 

    Information on the incident is available from Blackbaud at https://www.blackbaud.com/securityincident
    For questions, please see the Blackbaud Security Incident FAQ Document   
    Email the Maynooth University Development and Alumni Relations Office at blackbaudIncident@mu.ie 
    The University’s Data Protection Policy is available to read here
     
    We at Maynooth University sincerely apologise for this incident. Please know we will continue to monitor and strengthen our data security efforts internally and amongst our third-party providers. We will continue to update this page with any relevant developments as they arise.