Blackbaud Data Security Incident
Iowa Wesleyan University was notified by Blackbaud, one of our third-party service providers, of a security incident. Blackbaud is one of the world’s largest providers of cloud-based fundraising and finance services for not-for-profit organizations and the higher education sector.
This data breach occurred sometime between February 7 and May 20. Blackbaud informed us that they discovered and stopped a ransomware attack and, with the help of independent forensics experts and law enforcement, successfully prevented the cybercriminal from blocking or encrypting files. However, the cybercriminal was able to remove information belonging to several of Blackbaud’s clients, including Iowa Wesleyan University.
Because protecting customers’ data is their top priority, our third-party service provider paid the cybercriminal’s demand with confirmation that the data they removed had been destroyed.
Based on the nature of the incident, their research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What Information Was Involved
It’s important to note that the cybercriminal did not access your credit card information, bank account information, or social security number.
However, we have determined that the data removed may have contained information pertaining to your relationship with Iowa Wesleyan University, including a summary of philanthropic giving history, public information such as name, title, date of birth, spouse/partner information, contact information, educational attainment (such as degree, major, class year), and student activity involvement (such as participation in athletics or clubs).
What We Are Doing
We are notifying you so that you can take immediate action to protect yourself. Ensuring the safety of our constituents’ data is of the utmost importance to us. As part of their ongoing efforts to help prevent something like this from happening in the future, our third-party service provider has already implemented several changes that will protect your data from any subsequent incidents.
First, the provider’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. Blackbaud has confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, they are accelerating efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do
We do not believe there is a need for you to take any action at this time. Although there is currently no evidence that your information has been misused, as a best practice we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.
For More Information
We sincerely apologize for this data breach of our vendor Blackbaud’s system and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact the Iowa Wesleyan University Advancement Office at 319-385-6215 or firstname.lastname@example.org.