We take our data protection responsibilities very seriously and, whilst Blackbaud inform us that they have taken robust measures to deal with this incident, we immediately launched our own investigation following the notification of the event.
While we understand that the risk to our community is low, we are providing this information in the spirit of transparency and to highlight the importance of being vigilant to potential social engineering scams. We recognise that this is unsettling news and sincerely apologise that this has happened. We value our relationship with you and protecting your information has always been, and remains, one of our top priorities.
On 16 July 2020 we were contacted by Blackbaud, a cloud computing provider and one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020. As part of the attack, the cybercriminal was able to remove a copy of a subset of data from a number of their clients as part of their ransom demand. This included a subset of Edinburgh Napier University’s data. Blackbaud have confirmed that the data was subsequently deleted by the cybercriminal as part of their negotiations.
We use this system to record engagement with members of the University community, including alumni, staff and students, and extended networks and supporters. Having reviewed the information, we are sharing details of this incident at Blackbaud with members of our community.
What information was involved?
We would like to reassure our community that:
- a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts;
- Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible;
The majority of data accessed by the cybercriminal contained names and email addresses however this may have involved more information such as update details, gift history and attendance at university events for individuals signed up to our Alumni portal.
The data copied by the cybercriminal may have contained some of the following information:
- Basic details e.g. name, title, gender, date of birth and student number (if applicable);
- Addresses and contact details e.g. phone, email and LinkedIn profile URL;
- Course and educational attainment details, e.g. what qualification you received and some of the extracurricular opportunities you participated in while studying at Edinburgh Napier (if applicable);
- A record of your engagement with alumni and fundraising activities e.g. enquiries, event participation, volunteering, donations, and any other interactions you have with us;
- Professional details, e.g. the profession you work in and your employer;
- Information about your interests you have provided to us e.g. in response to one of our surveys.
Please note that this incident has potentially affected millions of data records worldwide, so while this provides ‘cold comfort’, we can assure you that this attack was not targeted at Edinburgh Napier University and we have no reason to believe that the cybercriminal’s motive was to access individual records. As noted above, Blackbaud have confirmed that the cybercriminal subsequently deleted the copies of the stolen data as part of their negotiations.
What are we doing about the situation
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand.
Blackbaud has advised us that it paid the ransom and received confirmation from the cybercriminal that the copied data had been destroyed.
We also immediately launched our own investigation and have taken the following steps:
- We have informed the Information Commissioner’s Office (ICO) of the incident and will cooperate fully with their enquiries;
- We are notifying you so that you are aware of this incident at Blackbaud and can remain vigilant;
- We are conducting our own investigation and working together with other institutions in the educational sector to understand the wider perspective;
- We are working with Blackbaud to understand why there was a delay between them discovering the security breach and notifying us, as well as what actions they have taken to increase their security;
- We will continue to provide updates as and when we become aware of further information of importance. We will provide updates on this website.
There is no need for our community to take any action at this time and we are unable to provide any more information at this stage. We will, of course, provide updates as we become aware of any further important information. As a best practice, we recommend people always remain vigilant and promptly report any suspicious activity or suspected identity theft to the law enforcement. Information about Phishing, protecting yourself and reporting unusual activity can be found here.
We deeply regret any inconvenience that this data breach by Blackbaud may have caused. Please be assured that we take data protection very seriously and we are grateful for our community’s understanding, continued support and engagement.
We will keep our website updated – please check this for further information in the first instance. However if you would like to contact us in relation to this incident please contact: firstname.lastname@example.org
For more information about the Blackbaud security incident, please read our FAQs.