What has happened?
On 16 July 2020, we were notified by Blackbaud, a cloud computing third party provider, that in May 2020, they had suffered a data security incident which they had discovered and managed to stop.
What was the nature of the incident?
Blackbaud have confirmed to us that the attackers attempted to carry out a ransomware attack. This involves the attackers encrypting a victim company’s data, and then offering a decryption key in exchange for a ransom. As further leverage to extract the payment of a ransom by Blackbaud, the attackers also copied some back-up files. The attackers offered to delete the copies of the back-ups if the ransom was paid.
Blackbaud say that they were able to avoid a shutdown of their systems caused by the ransomware. However, they engaged with the attacker and paid the ransom in order to secure the deletion of the copies of the back-ups that were taken.
What guarantees are there that those backups have been deleted?
Blackbaud believe that the attackers would keep to their word in deleting the back-ups for the following reasons:
We were not aware of this ransom negotiation or payment and have only since become aware of what happened from the information provided by Blackbaud. Blackbaud have provided reassurances around the potential risk to the University’s data given that it was a condition of the ransom payment that the data was deleted. Blackbaud have indicated that the attacker’s motivation in the attack was to obtain the ransom payment, and not target any data in the backups itself. Indeed, Blackbaud have confirmed that none of the backups contained bank account numbers, identifiable payment card details, or other information needed for identity theft.
- Ransomware attackers’ business models rely on them keeping their word, such that future victims will not consider paying ransom if there is no confidence that the attacker will do what it says it will do.
- A specialist ransomware negotiation company was used, who gathers intelligence on cyber attackers and whether they have a history of keeping their word.
- US Federal law enforcement also keeps intelligence on the attackers.
- As a result of the assurances Blackbaud received that the attacker would keep to its word, Blackbaud paid the ransom.
In case the attacker did not do what it promised, Blackbaud has also retained the services of a specialist cyber security company to constantly scour the dark web and other areas where cyber criminals offer stolen information for sale. Blackbaud has also requested US Federal law enforcement to help with that search. Blackbaud confirmed that they have not found any information from the attack being offered. Blackbaud has committed to search indefinitely and update its customers, in the unlikely event that data does surface.
What information was involved?
We have been given the assurances mentioned above by Blackbaud regarding financial details. However, it is possible that some of the information may include:
We continue to work hard to determine exactly what information was included in the affected subset of data.
- Basic details e.g. name, title, gender, date of birth and student number (if applicable);
- Addresses and contact details e.g. phone, email and LinkedIn profile URL;
- Course and educational attainment details, e.g. what qualification you received and some of the extracurricular opportunities you participated in while studying at Edinburgh Napier (if applicable);
- A record of your engagement with alumni and fundraising activities e.g. enquiries, event participation, volunteering, donations, and any other interactions you have with us;
- Professional details, e.g. the profession you work in and your employer;
- Information about your interests you have provided to us e.g. in response to one of our surveys.
I have an account with the your website, is my password safe?
Yes, the passwords are fully encrypted and so these were not accessed.
Why was I not made aware of this sooner?
We were advised of this incident on 16 July, since then we have undertaken our own investigations with Blackbaud in order to collate the relevant information to contact you.
Why were you only made aware of this in July?
We understand that the delay was caused by Blackbaud defending against the attack, undertaking their own investigation, apply relevant remedial measures and preparing notifications to its customers.
What are you doing?
Our Senior Leadership Team are working to understand from Blackbaud how this happened. We are liaising with the Information Commissioner’s Office (ICO) about this incident and have a legal team supporting us. We don’t yet know everything, but we wanted you to tell you as much as we can, as soon as we felt we were in a position to do so. We will also be reviewing our ongoing use of Blackbaud services as part of our response to this incident.
What is Blackbaud doing?
Blackbaud has advised that it has implemented several changes that will protect data from any subsequent incidents, for further details please see their own statement.
What can I do?
Based on the reassurances provided by Blackbaud, it is unlikely that there will be a residual risk to individuals’ data as a result of the attack.
However, the attack acts as a reminder that it’s always good to be aware of how to keep your personal data secure. Helpful information on how to do this can be found here.
Who else has been affected by this breach?
We understand from public sources that this has impacted a number of organisations globally, across a number of sectors.
What if I want you to delete my details from your system?
If this is something you would like us to do, please contact us directly at firstname.lastname@example.org. Please note that we may need to retain a minimum amount of information for statutory purposes.
Will you be informing members and supporters?
We have contacted our members and supporters by email in order to inform them of what happened and direct them to our website where we will issue further information as we receive it.
Anyone with specific concerns can get in touch with us, as set out below.
Will you be paying compensation?
For the reasons we have explained in our public statement, we do not consider this incident places individuals at risk.
For more information
You can contact us directly at email@example.com.
We continue to be grateful for your support, and although we could not have prevented this happening, we are sorry that this has happened.
We can assure you that our systems and practices are robust and that we will always be honest and open with you.