Data security incident at supplier Blackbaud

Utrecht University was informed by Blackbaud, an external supplier, about a data security incident. Blackbaud is the world's largest supplier of Customer Relation Management systems (CRM) for educational institutions and organisations in the non-profit sector. According to our information, this incident affected a large number of educational institutions worldwide, Utrecht University being one of them.

Utrecht University uses the relationship management system of Blackbaud to register our contact with alumni, donors and relations. We take our responsibility of protecting data very seriously. Immediately after Blackbaud informed us, we started our own research into the nature and extent of the incident and which data it concerned. More information about this can be found below, including the steps we have taken.

What happened?

On 16 July we were informed by Blackbaud that they were hit by a cyberattack. Read Blackbaud’s statement . During the attack, which took place between 7 February and 20 May, an outdated database of Utrecht University came into the hands of unauthorised persons. We very much regret this.

Blackbaud informs us that they received confirmation that the data in question have now been destroyed by these hackers and reports that there is no reason to assume that the data were disseminated by them.

Utrecht University has been in close contact with Blackbaud's management in recent weeks to gain insight into the data involved in the incident in order to inform those involved as quickly and fully as possible. We expect to receive the information in the course of Tuesday 11 August or Wednesday 12 August.

Which data are involved?

In the case of Utrecht University: as a result of the successful ransomware attack, hackers gained access to an old back up from 2017 that was unintentionally still archived on the Blackbaud server. As a result most likely, the following data from alumni, donors and business contacts came into the hands of these hackers:

• (user) name, gender, date of birth, nationality and language
• contact details: email address, phone number, postal address
• information about event attendance and donation behaviour
• in the case of alumni, this also concerns information about education and career path

Bank details and passwords were encrypted and were therefore not accessible to the hackers.

What are the possible consequences of the attack?

Blackbaud informed us that the incident has been investigated by, among others, an independent specialist. The company received confirmation that the data backup in question was destroyed by the hackers and reports that there is no reason to assume that the data were disseminated by them. In view of the large number of educational institutions and foundations worldwide that have been affected by this incident, we have no reason to assume that the cyberattack was specifically aimed at Utrecht University or our contacts. For this reason, we currently assess the probability of any risks to the privacy of those involved as low.

What action have we taken?

In resolving the incident and the follow-up steps to be taken, we are working together with other affected universities, including TU Delft (Delft University of Technology).

• We have been in close contact with Blackbaud's management since 16 July 2020. At the moment we give priority to obtaining the information we need as UU in order to properly and fully inform those involved.
• We are investigating why there was still an outdated backup from Utrecht University on Blackbaud's server.
• We are figuring out what caused the delay between the cyberattack and the moment Blackbaud informed us about it, and what steps the company is taking to improve the security of their systems.
• We will evaluate the cooperation with Blackbaud and investigate whether this incident should result in follow-up steps towards Blackbaud.
• We will examine what consequences this has for the way in which we have organised our CRM database internally.

What can you do?

The affected persons will be notified by us as soon as we have received the necessary data from Blackbaud. Until then, we do not know which relationships have been affected by this incident. What is certain, however, is that those who graduated after April 2017 will in any case not have been affected. The term at which those involved will receive notification depends on the speed with which we receive the necessary information from Blackbaud.

You do not need to take any action in response to this incident. However, we do ask everyone to always be alert to suspicious messages or transactions and to only open and answer emails from a reliable source. We also ask you to report suspicious situations to the Computer Emergency Response Team of Utrecht University via cert@uu.nl.