Data security incident at supplier Blackbaud
Update 14 August 2020: The affected persons were informed by Utrecht University by email on Friday 14 August. It’s possible this message ended up in your spam folder. Individuals from who we do not have a valid email address, will receive a postal letter to inform them in the near future. Utrecht University has taken the utmost care to inform all contacts concerned in the incident. If you did not/do not receive a notification from us you can assume you are in principle not involved. Alumni who would like to verify whether their data have been affected may send a message to blackbaud@uu.nl.
Update 20 augustus 2020: Below, we have added a list of FAQ’s related to this incident, such as questions about the Citizen Service Number (BSN) and the data encryption methods used.
Utrecht University was informed by Blackbaud, an external supplier, about a data security incident. Blackbaud is the world's largest supplier of Customer Relation Management systems (CRM) for educational institutions and organisations in the non-profit sector. According to our information, this incident affected a large number of educational institutions worldwide, Utrecht University being one of them.
Utrecht University uses the relationship management system of Blackbaud to register our contact with alumni, donors and relations. We take our responsibility of protecting data very seriously. Immediately after Blackbaud informed us, we started our own research into the nature and extent of the incident and which data it concerned. More information about this can be found below, including the steps we have taken.
What happened?
On 16 July we were informed by Blackbaud that they were hit by a cyberattack. Read Blackbaud’s statement . During the attack, which took place between 7 February and 20 May, an outdated database of Utrecht University came into the hands of unauthorised persons. We very much regret this.
Blackbaud informs us that they received confirmation that the data in question have now been destroyed by these hackers and reports that there is no reason to assume that the data were disseminated by them.
Utrecht University has been in close contact with Blackbaud's management in recent weeks to gain insight into the data involved in the incident in order to inform those involved as quickly and fully as possible. We expect to receive the information in the course of Tuesday 11 August or Wednesday 12 August.
Which data are involved?
In the case of Utrecht University: as a result of the successful ransomware attack, hackers gained access to an old back up from 2017 that was unintentionally still archived on the Blackbaud server. As a result most likely, the following data from alumni, donors and business contacts came into the hands of these hackers:
- (user) name, gender, date of birth, nationality and language
- contact details: email address, phone number, postal address
- information about event attendance and donation behaviour
- in the case of alumni, this also concerns information about education and career path
Bank details and passwords were encrypted and were therefore not accessible to the hackers.
What are the possible consequences of the attack?
Blackbaud informed us that the incident has been investigated by, among others, an independent specialist. The company received confirmation that the data backup in question was destroyed by the hackers and reports that there is no reason to assume that the data were disseminated by them. In view of the large number of educational institutions and foundations worldwide that have been affected by this incident, we have no reason to assume that the cyberattack was specifically aimed at Utrecht University or our contacts. For this reason, we currently assess the probability of any risks to the privacy of those involved as low.
What action have we taken?
In resolving the incident and the follow-up steps to be taken, we are working together with other affected universities, including TU Delft (Delft University of Technology).
- We have been in close contact with Blackbaud's management since 16 July 2020. At the moment we give priority to obtaining the information we need as UU in order to properly and fully inform those involved.
- We are investigating why there was still an outdated backup from Utrecht University on Blackbaud's server.
- We are figuring out what caused the delay between the cyberattack and the moment Blackbaud informed us about it, and what steps the company is taking to improve the security of their systems.
- We will evaluate the cooperation with Blackbaud and investigate whether this incident should result in follow-up steps towards Blackbaud.
- We will examine what consequences this has for the way in which we have organised our CRM database internally.
What can you do?
The affected persons will be notified by us as soon as we have received the necessary data from Blackbaud. Until then, we do not know which relationships have been affected by this incident. What is certain, however, is that those who graduated after April 2017 will in any case not have been affected. The term at which those involved will receive notification depends on the speed with which we receive the necessary information from Blackbaud.
You do not need to take any action in response to this incident. However, we do ask everyone to always be alert to suspicious messages or transactions and to only open and answer emails from a reliable source. We also ask you to report suspicious situations to the Computer Emergency Response Team of Utrecht University via cert@uu.nl.
More information and contact
Blackbaud’s statement on this cyberattack can be found here. If you have a specific question about this incident, please contact us at blackbaud@uu.nl. We hope for your understanding that we are not always able to provide satisfactory information.
If you have questions or complaints about how Utrecht University handles your personal data, you can contact the independent data protection officer by e-mail (fg@uu.nl) or by telephone (030-253 1977). You are always at liberty to submit a complaint to the Dutch National Data Protection Authority by calling 088-1805 250 (free of charge).
We deeply regret any inconvenience this incident may cause. Please be assured that we take data protection very seriously and that we appreciate the continued support and commitment of our community.