1. What Happened?
A third-party vendor named Blackbaud, which helps the Southern Connecticut State University Foundation manage its database of donors and alumni, informed us of a criminal cyberattack that resulted in unauthorized access to certain information. Upon learning of this incident, we worked with Southern’s information technology team and the Connecticut State Colleges & Universities (CSCU)/Board of Regents to review Blackbaud’s notification and determine what, if any, data may have been affected. Please know that we take this incident and the safeguarding of the security of our donors’ information very seriously.
2. Who is Blackbaud?
Blackbaud is a software and service provider for more than 25,000 nonprofit organizations, foundations, and institutes of higher education worldwide, including Southern and its three sister universities in the CSCU system. Current reports suggest numerous Blackbaud customers in multiple countries were affected.
3. When did the incident occur?
Blackbaud reports that it discovered and stopped the ransomware attack in May 2020. The Connecticut State Colleges and Universities system was notified in mid July. Upon learning of the incident, Southern began working in coordination with Connecticut State Colleges & Universities (CSCU) on a plan to investigate, learn the facts, and communicate with constituents. CSCU has reported the incident to the Connecticut Attorney General.
4. What Does SCSU Use Blackbaud Systems For?
The SCSU Division of Institutional Advancement and the SCSU Foundation use Blackbaud systems to manage and track alumni relations, donor relations, community relations, communications, events, and the finances of the SCSU Foundation.
5. What Information of Mine was Potentially Accessed?
Blackbaud advised all of its customers that NO credit card or banking information was included in the impacted files, and that NO Social Security numbers were accessible to the cybercriminal.
According to the company, the cybercriminal did access some Blackbaud customer data, including names, addresses, contact information, and degrees obtained at Southern.
Blackbaud has told us that based on the company’s own research, as well as investigation by law enforcement and other parties, the company has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
The Board of Regents of the CSCU system has contacted the Connecticut Attorney General’s office to assist us in confirming that assessment.
6. I am Not a Donor or an Alum. Why am I in your System?
Southern uses Blackbaud products to manage communications, events, some email updates, and other activities that involve non-donors and non-alums.
7. What is Blackbaud Doing to Address the Situation?
As part of ongoing efforts, Blackbaud has already implemented several changes to protect your data from any subsequent incidents. Its teams identified the vulnerability associated with this incident and took action to fix it. Blackbaud has tested its fix with multiple third parties, including the appropriate platform vendors, and assured Southern Connecticut State University that the fix withstands all known cyberattack tactics.
8. What Should I Do?
There is no need to take any specific action at this time. However, as a best practice, we recommend that you remain vigilant and promptly report any suspicious activity to the proper law enforcement authorities.
Our Commitment to You
While data breaches and ransomware attacks are becoming more common, this is not something that Southern Connecticut State University ever wants to happen to our valued supporters. Southern takes your privacy very seriously. We will continue to work with Blackbaud, the CSCU System and other authorities to look further into and monitor this incident. We sincerely apologize that this occurred through one of our third-party vendors and regret any inconvenience it may cause you. If you have any questions or concerns regarding this matter, please email Advancement@SouthernCT.edu.