Notification of data breach
Dear Oluwatoyin
We are emailing you to let you know about a recent incident concerning Blackbaud, the service provider which hosts our SOASworld NetCommunity. The incident has now been resolved, and you don’t need to take any action.
What happened
We were recently contacted by Blackbaud, one of the world’s largest providers of database management systems for higher education and the third sector. They informed us that they had been the victim of a ransomware attack in May 2020. The perpetrator was able to remove a copy of a subset of data from a number of their clients. We understand it involves a number of UK and US healthcare, educational and not-for-profit organisations, as well as SOAS data.
We use Blackbaud’s systems to record engagement with members of the School community, including alumni, and supporters. Having undertaken a review of the information shared by Blackbaud mapped against our data, we are sharing details of this breach of Blackbaud’s systems with members of our community.
A detailed forensic investigation was carried out on behalf of Blackbaud by law enforcement and third-party cyber security experts.
We would like to provide reassurance that:
- No bank account or credit card details were lost, as no bank account or credit card details exist in SOAS’s Blackbaud systems.
- No usernames or passwords for alumni or other constituents were part of the data theft, as these are encrypted.
However, we have determined that the file removed may have contained the name and contact information of graduates. It does not include information about their fundraising activities, the history of their relationship with our organisation, event attendance, or donation dates and amounts. For more information, see our Alumni and Supporter Privacy Notice.
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed. Blackbaud paid the ransom before it notified SOAS or any of its other clients about the incident. The School has not paid nor will we pay any part of the ransom fee.
Blackbaud has engaged security experts to search for misuse of the data and no evidence has been found of this. They are also monitoring the dark web looking for any traces of the data affected in this incident.
We would like to reiterate that we believe the risk attached to this incident is low, based on the steps taken by our contracted supplier and no action is required from you at this time. However, as is best practice we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities. You can read their response on the Blackbaud website.
What we are doing
We are notifying all SOASworld online community members so they are aware of this breach of Blackbaud’s systems and can remain vigilant. We have informed the Information Commissioner’s Office (ICO), the UK regulator for data protection, of the breach and will assist them with their enquiries. We are taking steps to understand how many other parties in higher education and the wider not-for-profit sector have been affected.
We are also working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security. We understand that as part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has already implemented several changes that will help protect data from any subsequent incidents, including identifying the vulnerability associated with this incident, including the tactics used by the cybercriminal, and taking swift action to fix it.
Further information
We sincerely apologise for this incident and regret any inconvenience it may cause you. We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team. We intend to publish the ways that we respond to this issue, including our response to any recommendations from Blackbaud, the ICO or regulatory authorities.
Should you have any further questions or, please contact us at blackbaud...@soas.ac.uk.
Best wishes
Paula Sanderson
Registrar and Secretary (Chief Operating Officer)
