Statement concerning Blackbaud data breach
31 July 2020
On 16 July 2020 King Edward VI Foundation was notified by Blackbaud, a third-party software provider, of a data breach owing to a ransomware attack on their system. The school takes its approach to data security very seriously and we are taking all necessary steps to review and respond to this incident.
Blackbaud is one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and educational institutions, and we understand a significant number of organisations in the UK and across the world have been affected by this attack.
We use Blackbaud’s system to manage Development Office processes, such as communications, event management and fundraising, and to store information. Blackbaud has confirmed that the data taken does not include encrypted data, such as credit card or bank account information, and that alumni and friends of the school do not need to take any action at this time.
This page provides information on what Blackbaud has told us about the incident and what action we have taken.
On 16 July 2020, Blackbaud notified us that it had been subjected to a ransomware attack, which it believes happened in May. As part of this, the cybercriminal accessed a subset of data from schools, universities and other charities containing personal information, which they offered to destroy in exchange for a payment.
Blackbaud’s cyber security team worked together with independent forensics experts and law enforcement agencies to expel the cybercriminal from its systems and fix the vulnerability they had used to access the data. Upon confirmation that the stolen data had been destroyed, Blackbaud paid the cybercriminal’s demand. Government, law enforcement and third-party cyber-security experts believe that the data did not go any further than the cybercriminal and was not shared or misused. Blackbaud has notified the UK’s Information Commissioner’s Office (ICO) and has issued an online statement.
What information was involved?
Blackbaud has confirmed that no encrypted data, such as credit card, bank account information, usernames, or passwords, were accessed. It is possible that the following data may have been accessed: personal and contact details, education information, professional information, correspondence history, and details of supporter engagement with us, including event attendances, volunteering and donations amounts.
What is the School doing?
Since being notified on 16 July, we have been working with the Foundation’s Data Protection Officer. We have been in touch with the ICO about the breach and are awaiting their further guidance. We are speaking to other schools and universities to understand how they too have been affected, and to share best practice in dealing with this incident. We are notifying those affected as far as is practical. We are also clarifying with Blackbaud the actions they have taken, why there was a delay in notifying the Schools and what additional steps they are taking to increase their security.
What do you need to do?
As there is no financial or sensitive data involved in the incident, you do not need to take any action at this time. However, as best practice, we recommend you remain vigilant and promptly report any suspicious activity related to your data to the police via Action Fraud.
If you have any concerns about this incident, please email: firstname.lastname@example.org
We will continue to work with Blackbaud, other affected institutions and the Foundation’s Data Protection Officer. If further relevant information becomes available, we will be in touch with our alumni and friends again. In the meantime, we wish to reassure our supporters that we have seen no evidence to contradict Blackbaud’s assurances that the incident was dealt with quickly and that the data copy has been appropriately destroyed.
We value greatly the support of all our alumni and friends of the Schools and sincerely regret any concern or inconvenience that this incident may cause.