P2021-ND-045

On July 16, 2020, the Organization was notified of a security incident by Blackbaud, a third-party provider of cloud computing services for educational institutions and other not-for-profit organizations. The Organization uses Blackbaud?s customer relationship management (CRM) platform to support its data for alum, parents, students and broader community. Blackbaud informed the Organization that its database backup had been affected by a security incident, which began in February 2020, but that they discovered in May 2020. Blackbaud informed the Organization that it successfully prevented the cybercriminal from blocking Blackbaud?s system access and fully encrypting files, and ultimately expelled them from the system. Nonetheless, the cybercriminal removed a copy of a subset of data from Blackbaud?s self-hosted environment, including the Organization’s backup. Blackbaud paid the cybercriminal?s demand with confirmation that the copy had been destroyed. Blackbaud indicated that based on the nature of the incident, its research, and third party (including law enforcement) investigation, it has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.

File Type: pdf
File Size: 604 KB
Categories: 2021