Notice of Data Breach
On Thursday, July 16, 2020, EARTH University Foundation received notification from Blackbaud, one of the EUF’s vendors, of a ransomware attack which occurred in May of 2020. The cybercriminal removed data for the purpose of extorting funds from Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software for non-profits.
The copy of data that the cybercriminal removed may have included the impacted individual's name and contact information for EARTH University Foundation supporters. EARTH University Foundation has never provided credit card numbers, bank account information, social security numbers, or similar high-risk data to Blackbaud, thus this data was not exposed.
If you have questions concerning this unauthorized access of data, please contact our Foundation office at firstname.lastname@example.org
We are issuing this statement to explain the incident to you. We take the protection and appropriate use of your information seriously. To the extent that the data breach affects constituents residing in the UK or EU, please accept this web notification pursuant to Article 33(2) of the General Data Protection Regulation (“GDPR”).
Blackbaud, which manages data for many nonprofits and educational institutions, informed us that it was the target of a ransomware attack in early 2020. You may have received a similar email about this Blackbaud incident from other non-profits or universities you support whose data Blackbaud stewarded. Blackbaud has informed us that after discovering the attack, its Cyber Security team brought in law enforcement and independent forensics experts; they successfully expelled the cybercriminal from Blackbaud’s system. Blackbaud indicated that the cybercriminal did remove a copy of a backup file containing some of your personal information before being locked out of the system. A full description of the incident is available here. (Note: this link will take you to blackbaud.com, a third-party website.)
What Information Was Involved?
Blackbaud has informed us that the cybercriminal did not access any credit card information, bank account information, or social security numbers. Blackbaud has determined, however, that the file may have contained demographic information including customer and donor names, physical and email addresses, telephone numbers, and giving history.
Blackbaud informed us that the company paid the cybercriminal’s ransom and received confirmation that the stolen data had been destroyed.
Based on its internal research, law enforcement and other third-party investigation, and the nature of the incident, Blackbaud concluded that no data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What Blackbaud and EARTH University Foundation Are Doing
The Foundation is notifying you out of an abundance of caution.
Blackbaud has assured us—and you—of its commitment to prevent future cyber theft; it has already implemented several changes to better protect your data.
Blackbaud notified us that its teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. The company has confirmed through testing by multiple third parties, including the appropriate platform vendors, that its fix withstands all known attack tactics. Additionally, Blackbaud notes that it is accelerating its efforts to further harden its environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do
Although we currently have no reason to believe that your personal information will be misused, we encourage you to remain vigilant and promptly report any suspicious activity or suspected identity theft to us, to Blackbaud, and to the proper law enforcement authorities.
We sincerely apologize for this incident and regret any inconvenience it may cause you. Please do not hesitate to contact us should you have any further questions or concerns regarding this matter and/or the protections available to you.
EARTH University Foundation