The information below relates to a data
security breach involving a company called Blackbaud, which supplies engagement
and relationship management software services to a number of educational
institutions and charities in the UK, as well as across the world. The University of South Wales is one of those
institutions that works with Blackbaud in the management of its graduate and
supporter records, and, unfortunately, is one of those affected by the breach.
Please note that the company Blackbaud is not associated the University's online teaching platform, which is called Blackboard.
The University of South Wales takes data security very seriously. As soon as we were notified we launched our own investigation and further details are below, including steps we have taken in response.
Blackbaud advised us on 16 July 2020 that it had discovered a ransomware attack in May 2020. The cybercriminal removed a copy of a subset of a data backup from Blackbaud’s NetCommunity hosted environment at some point between 7 February and 20 May 2020.
Blackbaud has advised that it has worked with third parties, including law enforcement and independent forensics experts, and that they paid the cybercriminal’s demand to ensure the data was not shared further and was destroyed, although we cannot verify this definitely.
How was the University of South Wales affected?
The University of South Wales used NetCommunity for the purposes of sending community emails only, and ceased to use this self-hosted environment in December 2018.
Data accessed by the cybercriminal was a backup of data associated with sending emails through NetCommunity.
As a historic backup, data that was affected was not aligned to any current communication preferences. Given the dataset that was breached was historic in nature, nevertheless we felt it was appropriate to notify all who may have been affected, regardless of long-held and adhered to communication preferences.
Our understanding was that any data - including any backups – that would have been used to send emails were destroyed when the University ceased to use the NetCommunity product. Regrettably, it appears that Blackbaud did not do this.
Blackbaud confirms that this incident did not reach solutions held in the public cloud environment and they confirm that the main alumni database was not breached in any way.
What information was involved?
From the information provided by Blackbaud, data that was accessed by the cybercriminal was ‘send to’ name and email addresses only. No other data was compromised, as no other data was held in the particular platform that Blackbaud has informed us was breached. As the information was held for backup purposes and not updated, it is likely that a number of the ‘send to’ addresses are not up to date.
NetCommunity is used in different ways by different Universities and organisations, therefore each institution has been affected differently.
Why did Blackbaud not notify USW of the breach earlier and why am I only just finding out?
Blackbaud prioritised fending off the cyberattack in the first instance and expelling the cyber criminals from their system. They then started an investigation to understand what had been affected before being in a position to advise who had been affected and in what way.
We have contacted alumni and supporters at the earliest opportunity once we were notified of the breach and we have subsequently provided further specific details after they were supplied to us.
What have we done about the situation?
Upon learning of this breach we launched our own investigation and have taken the following steps:
Steps we will take in future
We will continue to work with Blackbaud to investigate the matter and are reviewing the contractual arrangements with them, focusing on their current and proposed security measures for our data. Moving forward, we are also reviewing our ongoing relationship with them as a data processor.
What can those affected do?
You do not need to take action in regard to this incident.
We do recommend that you remain vigilant and lookout for any unusual emails and do not, if prompted by email, share and disclose password or personal details.
The National Cyber Security Centre’s have helpful advice on online safety that may be useful.
We understand that our alumni may be distressed by these events. However, we hope that the information we have provided assures you that the University has,and will continue to do everything to keep your information secure.
If you have any further concerns, please email firstname.lastname@example.org