Posted on 24 July 2020

The information below relates to a data security breach with a third-party service provider of the University of Aberdeen and the University of Aberdeen Development Trust. We believe it involves a number of healthcare, educational and not-for-profit organisations around the world, as well as the University of Aberdeen and the University of Aberdeen Development Trust. 

We take our data protection responsibilities very seriously. As soon as we were notified, we immediately launched our own investigation and further details are below, including the steps we have taken in response.

What happened?

Blackbaud, a third-party database and customer relationship management system supplier, advised us on 16 July 2020 that it had discovered a ransomware attack in May 2020. The cybercriminal removed data from its backup server during the attack, at some point between 7 February and 20 May 2020.

We have been informed that data related to our alumni, donors, and other external contacts was part of that. Blackbaud has advised that it worked with third parties, including law enforcement, and paid a ransom to ensure that the data the cybercriminal obtained was not shared any further and was destroyed, but we cannot verify this definitively.

What information was involved?

The data accessed by the cybercriminal may have contained some of the following information:

  • Basic details e.g. name, title, gender preference, date of birth;
  • Postal addresses, email addresses, and telephone numbers;
  • Educational details such as degree subject and year of graduation;
  • Details regarding current and previous employment;
  • Details of engagement with the University of Aberdeen and the University of Aberdeen Development Trust such as event attendance, volunteering activity, and details of meetings and/or correspondence with the University;
  • For a small number of donors, some financial-related data may have been involved.

What are we doing about the situation?

We immediately launched our own investigation upon being notified of the breach and have taken the following steps:

  • We are notifying those concerned so that they are aware of this breach of Blackbaud’s systems and can remain vigilant; 
  • We have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance;
  • We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected;
  • We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.

What can those affected do?

We recommend that you remain vigilant and report promptly any suspicious activity or suspected identity theft, and that you review the information on how to stay safe online at the following websites:

Helpful guidance on action you can take against identity theft is available on the Information Commissioner’s Office website:

If you would like to speak to a member of staff about this, please contact us as follows:

The team will respond to voicemails and emails as soon as possible over Saturday 25 and Sunday 26 July and thereafter Monday to Friday, 9.00am to 5.00pm.

Steps we will take in future

We will continue to work with Blackbaud to investigate this matter. We are reviewing as a matter of urgency the contractual arrangements with Blackbaud, focusing on their current and proposed security measures for our data. We will also review as a matter of priority our ongoing association with Blackbaud.

We are very sorry for the concern and the inconvenience that this Blackbaud incident may have caused. Our University family means the world to us and we take extremely seriously anything which threatens to compromise you and our relationship with you. 

FAQs

What has happened?

Blackbaud, the third-party supplier of our alumni relations database and customer relationship management system, discovered a ransomware attack in May 2020. The cybercriminal removed data from its backup server during the attack, at some point between 7 February and 20 May 2020. We have been informed that data related to our alumni was part of that. Blackbaud has advised that it worked with third parties, including law enforcement, and paid a ransom to ensure that the data the cybercriminal obtained was not shared any further and was destroyed, but we cannot verify this definitively.

What information was obtained?

The data contained personal information of our alumni such as name, gender, date of birth, and familial relationships, as well as contact details including postal addresses, email addresses, and telephone numbers, and educational details such as degree subject and year of graduation. It may also have containeddetails regarding current and previous employment and engagement with the University of Aberdeen after graduation such as event attendance, volunteering activity, and details of meetings and/or correspondence with the University.

I have paid for alumni events in the past, are my financial details safe?

Yes, financial information used to process payments online – such as those for alumni events – was not accessed as this information is fully encrypted.  We do not keep copies of cheques used to pay for alumni events in our database.

I have an account with the Alumni Hub, is my password safe?

Yes, the passwords for the Alumni Hub are fully encrypted and so these were not accessed.

Why was I not made aware of this sooner?

As soon as we were notified of the incident on 16 July, we launched an investigation to gather the information we needed to contact you.

Why was the University not made aware of this sooner?

Blackbaud has advised that they did not notify us sooner because they needed to: defend against the attack; conduct the subsequent investigation; take measures to address the issue that led to the incident; and prepare resources for its customers. We are investigating this further, however.

What is the University doing?

We are reviewing as a matter of urgency the contractual arrangements with Blackbaud, focusing on their current and proposed security measures for our data. We have also made a formal report to the Information Commissioner’s Office (ICO).

What is Blackbaud doing?

Blackbaud has advised that it has implemented several changes that will protect data from any subsequent incidents, but we await details on this and what else they plan to do in future.

Is the University going to switch supplier as a result of this?

We will review as a matter of priority our ongoing association with Blackbaud. Our alumni mean the world to us and we take extremely seriously anything which threatens to compromise you and our relationship with you.

What can I do?

We recommend that you remain vigilant and report promptly any suspicious activity or suspected identity theft and that you review the information on how to stay safe online at the following websites:

Helpful guidance on action you can take against identity theft is available on the Information Commissioner’s Office website: www.ico.org.uk/your-data-matters/identity-theft.

What if I think I have been adversely affected by this breach?

Please refer to the Information Commissioner’s Office website at www.ico.org.uk/your-data-matters/identity-theft for guidance.

Who else has been affected by this breach?

Although we have not been advised officially, we understand a significant number of organisations have been affected globally.

What if I want you to delete my details from your system?

If this is something you would like us to do, please contact us directly at alumni@abdn.ac.uk. Please note that we may need to retain a minimum amount of information for statutory purposes.