|
Dear Sir or Madam:
I am writing to inform you of a data security incident experienced by Blackbaud, Inc. (“Blackbaud”), a provider of cloud-based data management services to Norwich University (“Norwich”) as well as many other schools, colleges and universities, and other not-for-profit organizations.
I sincerely apologize for any concern that this incident may cause you. Let me reassure you that Norwich is working diligently to ensure that this incident is sufficiently addressed.
What Happened
On Thursday, July 16, 2020, we were notified by Blackbaud that it had discovered and stopped a ransomware attack that occurred in May 2020. Blackbaud’s systems that were affected by the attack included a database containing certain information about Norwich’s donors. According to the notification provided by Blackbaud, the attacker(s) may have acquired some data maintained within Blackbaud’s database. Blackbaud informed us that it paid a ransom to the attacker and obtained confirmation that the compromised information has been destroyed and is no longer in the possession of the attacker(s). According to Blackbaud, and as far as we know, there is no indication that any of the compromised information has been subject to misuse or to further disclosure. Blackbaud has also assured us that they are enhancing their safeguards to mitigate the risk of future attacks. Nevertheless, out of an abundance of caution, we wanted to advise you of this incident.
The security of our constituents’ personal information is of the utmost importance to us and we deeply regret this incident. We have made clear to Blackbaud that we expect to receive additional information regarding the incident and what steps were taken by Blackbaud to remediate the incident, including, but not limited to, what enhanced security practices are being put in place.
What Information Was Involved
According to Blackbaud, bank account information, usernames, passwords, and Social Security numbers that may have been contained in the affected systems were encrypted and the decryption keys were not compromised. Therefore, it appears that this information was not subject to misuse or unauthorized disclosure. Further, Blackbaud has stated that none of our donors’ payment (credit, debit, etc.) card information was included in the compromised database and therefore was not impacted as a result of this incident.
However, other information may have been acquired by the attacker. Blackbaud has provided general information regarding the databases potentially affected, and again, assures us that Social Security numbers and payment card information were not compromised. Nevertheless, we are working diligently to obtain additional information from Blackbaud to obtain a better understanding of the scope of the incident and more specific information regarding what types of data may have been impacted.
What Is Being Done
Blackbaud has indicated that they are taking efforts to further secure their environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms. We are working diligently to obtain additional information from Blackbaud regarding the scope of the incident and what steps have been taken to ensure that a similar incident does not occur in the future. Additionally, as stated above, we are working to obtain additional information from Blackbaud regarding what specific information may have been impacted as a result of this incident to ensure that the proper notification is provided to individuals whose sensitive information may have been impacted. Importantly, Norwich is currently unaware whether any individual’s sensitive information was impacted as a result of this incident.
What You Can Do
While we work to obtain additional information from Blackbaud, we recommend that you remain vigilant in regularly reviewing and monitoring all of your account statements and credit history to guard against any unauthorized transactions or activity. If you discover any suspicious or unusual activity on your accounts, please promptly contact your financial institution or company. While we do not have specific information regarding what information may have been impacted, and while Blackbaud has indicated that banking information and Social Security numbers were not impacted, we have provided additional information below, which contains more information about steps you can take to protect yourself against fraud and identity theft.
For More Information
Should you have questions or concerns regarding this matter, please do not hesitate to contact Carol Flint at (802) 485-2334. Importantly, Blackbaud has not been very cooperative in providing additional information and therefore, the information available to us regarding this incident is currently limited. However, we will work to provide you with as much information as possible.
Norwich has no relationship more important or more meaningful than the one we share with our Norwich Family. I want to personally express my deepest regret for any worry or inconvenience that this incident may cause you.
Sincerely,
|