Notification of Third-Party Vendor Security Incident, August 2020
This communication is to notify constituents of the University of South Carolina that Blackbaud, Inc., one of our outside vendors, recently made us aware of a data security incident that may have affected some of our constituents’ personal data. UofSC and its affiliate foundations take the protection and proper use of personal data very seriously. We are, therefore, providing the information below to explain the incident and the steps that have been taken in response.
We were recently notified by Blackbaud, Inc., that it discovered and stopped a ransomware attack on Blackbaud’s infrastructure. Blackbaud is a software company that provides data services to nonprofit organizations across the country and globe. Blackbaud reports that, after discovering the attack, its cybersecurity team worked with independent forensics experts and law enforcement to expel the attacker from its system.
According to Blackbaud, prior to being locked out, the cybercriminal removed a copy of a subset of data from Blackbaud’s self-hosted environment that contained information related to individuals affiliated with multiple charitable institutions. Blackbaud reports that it paid the cybercriminal’s demand and received confirmation that the data copy has been destroyed. According to Blackbaud, this incident occurred at some point between February 7, 2020, and May 20, 2020, and was discovered in May 2020.
What Information Was Involved?
The subset of data that was removed may have contained constituents’ names and contact information, along with some demographic information, date of birth and constituents’ giving profiles and history. Based on the nature of the incident, Blackbaud’s research, and third-party investigation, including law enforcement, Blackbaud has stated it has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. As an extra precautionary measure, Blackbaud reports it has hired a third-party team of experts to monitor the dark web.
What Additional Safety Measures Are Being Taken?
UofSC is continuing to monitor the situation, including Blackbaud’s response and mitigation efforts. To ensure the future safety of constituents’ data, Blackbaud has stated that it has implemented several changes to protect against subsequent incidents. Blackbaud reported it has identified the vulnerability that was associated with this incident, including the tactics used by the cybercriminal, and has taken actions to fix it. Blackbaud has asserted that it has confirmed, through testing by multiple third parties, including the appropriate platform vendors, that this fix withstands all known attack tactics. Additionally, Blackbaud has disclosed that it is accelerating its efforts to further harden its environment through enhancements to access management, network segmentation and deployment of additional endpoint and network-based platforms. For additional information about Blackbaud security and response to this incident, visit https://www.blackbaud.com/securityincident.
As UofSC continues to monitor this situation, we will notify our constituents directly if we obtain evidence that their personal information was exposed beyond what was described above.
What Should You Do?
It is always best practice to monitor your personal accounts and credit history for unusual activity and to contact the appropriate financial institutions, law enforcement authorities or credit bureaus if you have concerns. Always remain alert to email and telephone scams asking for money or personal information. For your convenience, we are providing contact information for the three major credit bureaus:
3 MAJOR CREDIT BUREAUS / CONSUMER REPORTING AGENCIES
P.O. Box 105788
Atlanta, GA 30348
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19022
We sincerely apologize for this incident and regret any inconvenience it may cause you. If you have questions or concerns, please call toll-free 1-866-938-0462. between 9:00 a.m. and 6:30 p.m. EST, Monday - Friday (excluding some U.S. holidays).