We have updated this announcement to include FAQs in response to questions asked by our community.
Read the FAQs here.
We have contacted Brunel University London alumni and supporters to tell them about a data incident experienced by Blackbaud, a third-party service provider, which may have affected their personal data. We believe it involves a number of educational, healthcare and not-for-profit institutions in the UK and the USA, as well as Brunel data.
We take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are provided below, including the steps we have taken to ensure there is no further risk to our community.
On 16 July, we were contacted by Blackbaud, one of the world’s largest providers of database management systems for the Higher Education sector and not-for-profit organisations.
They informed us that they had been the victim of a ransomware attack between February and May 2020. The perpetrator was able to remove a copy of a subset of data from a number of Blackbaud’s clients. This included Brunel data.
We use this system to record engagement with members of the Brunel community, including alumni and supporters.
What information was involved?
A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts. Blackbaud have confirmed that credit card numbers and bank details were not included, exposed or accessed in the course of the incident.
What are we doing about the situation?
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the perpetrator’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the perpetrator that the data had been destroyed.
Blackbaud has engaged security experts to search for misuse of the data and they have informed us that no evidence has been found of this; they are also monitoring the dark web looking for any traces of the data affected in this incident. You can read their response on the Blackbaud website.
However, we have immediately launched our own investigation and have taken the following steps:
- whilst we are not aware of any specific risk to individuals as a result of this breach, we are notifying them so that they are aware and can remain vigilant
- we have informed the Information Commissioner’s Office (ICO, the UK regulator for data protection) of the breach, are awaiting further guidance and will assist them with their enquiries
- we are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected.
- we are also working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.
We understand that as part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has already implemented several changes that will help protect your data from any subsequent incidents, including identifying the vulnerability associated with this incident, including the tactics used by the perpetrator, and taking swift action to fix it.
What you can do
There is no need for our alumni or supporters to take any specific action. However, to reflect best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
We sincerely apologise for this incident and regret any inconvenience it may cause.
We will continue to work with Blackbaud to investigate this matter and to discuss our future engagement with them. We will continue to liaise with and be advised by our Data Protection Officer and Cyber Security team.
Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement.
Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact us at email@example.com.
Brunel University London Alumni Office
Added 30 June 2020
Why was I not made aware of this sooner?
As soon as we were alerted to the incident on, we immediately launched our own investigation to understand the details of the situation in order to be able to share it with you.
Why was Brunel not made aware of this sooner?
Blackbaud has advised that once the attack was discovered their priority was to block the system, undertake a thorough investigation with independent forensics experts and law enforcement, take measures to address the issue that led to the incident and prepare resources for its customers.
What has Brunel done since learning about the data breach?
Brunel take data protection incredibly seriously. The university’s data protection team took action to report the breach to the Information Commissioners Office, and teams across the university have been conducting their own investigation into the incident to ensure we were clear on the detail and its impact. This investigation is ongoing and we continue to seek clarification from Blackbaud on how the breach occurred and the security of our data. We will keep all individuals affected up to date if there is further information as we review our relationship with Blackbaud.
What measures has Blackbaud put in place?
Blackbaud has stated that they have worked with multiple third-party, independent firms to aggressively test the systems and they are confident that their remediation steps withstand all known attack tactics. For further details on Blackbaud’s response, see here.
Will Brunel continue to work with Blackbaud?
We have worked with Blackbaud for over 15 years. However, as a matter of priority we are reviewing our association with Blackbaud. Our alumni and supporter community is our priority and we will not compromise your data’s safety.
For specific queries on the data the university holds on you, please contact the Alumni office on firstname.lastname@example.org or the Data Protection team on email@example.com