Notice of Vendor Data Incident


In an abundance of caution, we are writing to notify you that Blackbaud, Inc. (one of our vendors) recently made us aware of a data security incident that may have affected some of your personal data.  

 

What happened?  

On July 16, 2020, we were notified that Blackbaud, an outside vendor of Agnes Scott College had discovered and stopped a ransomware attack of Blackbaud’s self-hosted platform in May 2020.  Blackbaud is an engagement and fundraising software provider used by more than 45,000 universities, health care organizations, nonprofits, foundations, and other organizations worldwide, including Agnes Scott College.

Agnes Scott College uses Blackbaud as a cloud service provider to store and manage information that we use for fundraising and relationship management purposes.  The ransomware did not affect any of Agnes Scott College's systems in any way.

 

What information was involved? 

Blackbaud has specifically informed us that the cybercriminal did not access credit card information, bank account information, or social security numbers. According to Blackbaud, the cybercriminal did, however, remove a copy of a subset of Blackbaud customer data beginning as early as February 2020.  The subset included information used by Agnes Scott College for fundraising purposes, such as contact information, date of birth, demographic / donor profile information, and donation history.  Blackbaud has stated it paid the cybercriminal’s ransom demand with confirmation that the copy the cybercriminal removed had been destroyed.   

Blackbaud has stated that it does not believe this incident poses any risk to our donors, because, based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.   Blackbaud has hired a third-party team of experts to monitor the dark web as an extra precautionary measure. 

 

What are we doing?

We continue to investigate this incident and are reviewing all relevant business practices regarding the security of Blackbaud data. Blackbaud reported that it has implemented numerous security changes. Blackbaud stated that it quickly identified the vulnerability associated with this incident and took swift action to fix it. Blackbaud stated that it has confirmed through testing by multiple third parties that its fix withstands all known attack tactics. Finally, Blackbaud asserted that it is further hardening its environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.  For more information about Blackbaud’s cybersecurity practices and next steps following this incident, see https://www.blackbaud.com/securityincident.

 

What can you do? 

Based on the information provided by Blackbaud and our investigation to date, we do not think there is anything more you need to do at this time aside from maintaining your routine personal practices of remaining vigilant to cybercriminal scams (e.g., email /phishing emails (always check the email address of emails you receive before clicking on any links) /phone scams asking for money /information), and promptly reporting any suspicious activity to law enforcement authorities and/or the credit bureaus:  Equifax (P.O. Box 74021, Atlanta, GA  30374; 800-685-1111), Experian (P.O. Box 2002, Allen, TX 75013; 888-397-3742) or TransUnion (P.O. Box 1000, Chester, PA  19016; 800-916-8800).

 

For more information about this incident, please contact Bret Busch, Senior Director of Advancement Services at bbusch@agnesscott.edu or 404.471.6105.

We apologize for any inconvenience this may have caused you. 

Sincerely,

Robiaun Rogers Charles, Ed.D., CFRE
Vice President for College Advancement