As you are a valued member of the University of London community, we are contacting you today to notify you of a data incident which may have affected your personal data. We believe it involves a number of UK and US healthcare, educational and not-for-profit organisations, as well as University of London data, so it may have involved your personal information.

What happened
On 16 July, we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of database management systems for not-for-profit organisations and the Higher Education sector.

They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included University of London data.

We use this system to record engagement with members of the University community, including alumni, members of friends groups, and supporters. Having undertaken a review of the information shared by Blackbaud mapped against our data, we are sharing details of this breach of Blackbaud’s systems with members of our community today.

We would like to reassure you that:

  • A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts;
  • Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details, was accessible;
  • Blackbaud also confirmed that no credit card information formed part of the data theft. We want to stress that if you have provided the University with credit card numbers or bank details in the course of a donation or purchase, this information was not included, exposed or accessed in the course of the incident.
  • We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed.
  • Blackbaud has engaged security experts to search for misuse of the data and no evidence has been found of this; they are also monitoring the dark web looking for any traces of the data affected in this incident.
  • We have determined that the file removed may have contained your contact information, educational and demographic information, professional details, fundraising activities, and a history of your relationship with our organisation, such as event attendance, donation dates and amounts. If you administrate a society or affiliated organisation your status as a representative and your contact details may be included. For more information, see our Privacy Policy.
  • However, we would like to reiterate that we believe the risk attached to this incident is low, based on the steps taken by our contracted supplier. You can read their response on the Blackbaud website.

What are we doing
We are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant. We have informed the Information Commissioner’s Office (ICO), the UK regulator for data protection, of the breach and will assist them with their enquiries. We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected.

We are also working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security. We understand that as part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has already implemented several changes that will help protect your data from any subsequent incidents, including identifying the vulnerability associated with this incident, including the tactics used by the cybercriminal, and taking swift action to fix it.

What you can do
No action is required from you at this time however, as best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities. You can reach the University about this by emailing blackbaud_incident@london.ac.uk

For more information
We sincerely apologise for this incident and regret any inconvenience it may cause you. We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team. You can also go to our website to keep up to date with how we are responding to this issue, including our response to any recommendations from Blackbaud, the ICO or regulatory authorities.

Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact us at blackbaud_incident@london.ac.uk

Sincerely,

Bill Abraham
Director of Development

Kit Good
Data Protection and Information Compliance Manager

You are receiving this email because you have a connection to the University of London.

University of London
Senate House, Malet Street, London, WC1E 7HU

www.london.ac.uk
Facebook LinkedIn LinkedIn Twitter
Read our Privacy Policy | Email Preferences/Unsubscribe