Dear Donors and Foundation Friends,
On July 16, 2020 Blackbaud, our cloud software service provider, provided the Maricopa Community Colleges Foundation notice of a data security incident. Maricopa Community Colleges Foundation is one of many Blackbaud customers impacted by the security incident. Blackbaud’s notice included an overview of the cyberattack, confirmed law enforcement was notified and involved in responding to the attack, and provided its conclusion that the cybercriminal did not access credit card information, bank account information, user names, passwords or social security numbers.
Who is Blackbaud?
Blackbaud is a leading cloud software company serving nonprofits, foundations, educational institutions and healthcare organizations. It offers a portfolio of tools designed for fundraising and CRM, marketing, advocacy, peer-to-peer fundraising, corporate social responsibility, school management, ticketing, grantmaking, financial management, payment processing and analytics. Blackbaud reports that it had 45,000 customers located in over 100 countries by the end of 2019.
What did Blackbaud report?
Blackbaud sent an email to a Foundation representative reporting:
We are writing to notify you about a particular security incident that recently occurred. Please review this email for a personalized link, next steps and resources created for your organization specifically.
The Cybercrime industry represents an over trillion-dollar industry that is ever-changing and growing all the time—a threat to all companies around the world. At Blackbaud, our Cyber Security team successfully defends against millions of attacks each month and is constantly studying the landscape to ensure we are able to stay ahead of this sophisticated criminal industry.
In May of 2020, we discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers. After discovering the attempted attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.
Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information, or social security numbers. Because protecting our customers’ data was our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. In accordance with regulatory requirements and in an abundance of caution, we are notifying all organizations whose data was part of this incident and are providing resources and tools to help them assess this incident.
What This Means for Your Organization Specifically
Our public cloud environment (Microsoft Azure and Amazon Web Services) and most of our self-hosted datacenters, products and customers were not part of this incident, but we have confirmed the following specific to your organization:
A copy of your Blackbaud Financial Edge NXT, Blackbaud Raiser’s Edge NXT, and ResearchPoint backup was part of this incident. Again, the file the cybercriminal removed a copy of did not contain any credit card information. Further, the cybercriminal did not gain access to bank account information, usernames, passwords, or social security numbers stored in your database because they were encrypted. None of your data was lost or corrupted as a result of this incident.
And again, based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure.
Blackbaud has published a notice regarding the security incident on its website, https://www.blackbaud.com/
-END OF BLACKBAUD NOTIFICATION-
We are providing you with this notice as part of our ongoing commitment to transparency with our constituents and partners. At this time, we are investigating the event to independently assess Blackbaud’s report that there is no reason to believe that the data exposed to the cybercriminal was or will be misused. We will report our findings to you.
We apologize for any inconvenience this event may cause. If you have questions, please do not hesitate to contact me at foundation.ceo.president@memo.
Brian F. Spicker
Interim President and Chief Executive Officer