Blackbaud data security incident

Last updated: Thursday, 1 October 2020

On 18 July 2020 we were informed by Blackbaud, one of the world’s largest providers of customer relationship management services to non-profit and education organisations, that it was affected by a data security breach.

We understand that this breach affected a number of Blackbaud’s customers, including The University of Manchester.

No action is required in relation to this incident.

We set out below further details of the incident and the steps that we have taken in response.

Details of the breach

We were informed by Blackbaud on 18 July 2020 that our data was involved in a ransomware attack that they had been subjected to during which the cybercriminal removed a copy of data from a number of its clients. The data included information on alumni and donors.

Since then, we have been undertaking our own investigation to discover who and what type of data may have been affected.

Data which may have been affected

Blackbaud has confirmed to us that:

  • it has conducted an investigation (involving law enforcement agencies);
  • no passwords, credit card details or bank account information were affected; and
  • it obtained confirmation that the data removed by the cybercriminal was destroyed;
  • it has no reason to believe that any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly.

(Please see https://www.blackbaud.com/securityincident for further details).

We understand that, although professional information, contact details, name, date of birth and information regarding engagement with the University were removed during the attack, data affected is low risk.

Further update from Blackbaud on Tuesday, 29 September 2020

You may have seen reports in the press during the week beginning 28 September 2020 that Blackbaud’s investigation revealed that for some customers, the cybercriminal may have accessed some bank account information, social security numbers, usernames and/or passwords.

Blackbaud contacted the University of Manchester on Tuesday, 29 September 2020 to confirm that the University is not one of those customers affected by these additional findings.

We would like to reiterate that no credit card details, bank account information, social security numbers, usernames and/or passwords were accessed.

Further steps

We have taken the following actions in response to this incident:

  • commenced a thorough investigation;
  • informed the Information Commissioner’s Office (ICO) about the breach;
  • asked Blackbaud to detail the steps that it will take to ensure that it will not be affected by similar incidents in the future.

No action is required in relation to this incident. However, we encourage you to remain vigilant and report any unusual activity in the normal way.

Unless we have a legal obligation to do so, we will not disclose information to individuals, organisations or other entities outside the University other than those which are acting as agents (data processors) for the University (for example, the company which prints and sends our annual alumni magazine, or the volunteers who run our alumni groups). The University does not store any credit/debit card details and is fully PCI-DSS compliant. Nor do we store any national insurance or social security numbers, and we will never ask for these. You can verify that any communication you receive relating to alumni or donor matters is genuine by contacting the email address below. Further information on how we process personal information is available in our privacy notice.

We will let you know if there is any action you need to take in the future. Please be assured that the University of Manchester takes data protection very seriously.

If you have any questions regarding this incident, please contact alumni@manchester.ac.uk

How we use your information

The University of Manchester Division of Development and Alumni Relations (DDAR) processes personal information in accordance with all relevant data protection legislation. Our Privacy Notice is available here; and further information about data protection at the University is available here. Please tell us how you want to hear from DDAR by contacting us on alumni@manchester.ac.uk or +44 (0)161 306 3066; if you are a graduate you can also manage your personal information online at https://network.manchester.ac.uk/.