The information below relates to a data security breach with a third-party service provider of the University of Aberdeen and the University of Aberdeen Development Trust. We believe it involves a number of healthcare, educational and not-for-profit organisations around the world, as well as the University of Aberdeen and the University of Aberdeen Development Trust.

We take our data protection responsibilities very seriously. As soon as we were notified, we immediately launched our own investigation and further details are below, including the steps we have taken in response.

What happened?

Blackbaud, a third-party database and customer relationship management system supplier, advised us on 16 July 2020 that it had discovered a ransomware attack in May 2020. The cybercriminal removed data from its backup server during the attack, at some point between 7 February and 20 May 2020.

We have been informed that data related to our alumni, donors and other external contacts was part of that. Blackbaud has advised that it worked with third parties, including law enforcement, and paid a ransom to ensure that the data the cybercrimianl obtained was not shared any further and was destroyed, but we cannot verify this definitively.

What information was involved?

The data accessed by the cybercriminal may have contained some of the following information:

  • Basic details e.g. name, title, gender preference, date of birth;
  • Postal addresses, email addresses and telephone numbers;
  • Educational details such as degree subject and year of graduation;
  • Details regarding current and previous employment;
  • Details of engagement with the University of  Aberdeen and the University of Aberdeen Development Trust such as event attendance, volunteering activity and details of meetings and/or correspondence with the University;
  • For a small number of donors, some financial-related data may have been involved.

What are we doing about the situation?

We immediately launched our own investigation upon being notified of the breach and have taken the following steps:

  • We are notifying those concerned so that they are aware of this breach of Blackbaud's systems and can remain vigilant;
  • We have informed the Information Commissioner's Office (ICO) of the breach and are awaiting further guidance;
  • We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected;
  • We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.

What can those affected do?

We recommend that you remain vigilant and report promptly any suspicious activity or suspected identity theft, and that you review the information on how to stay safe online at the following websites:

Helpful guidance on action you can take against identity theft is available on the Information Commissioner's Office website:

If you would like to speak to a member of staff about this please contact us as follows:

The team will respond to voicemails and emails as soon as possible, Monday to Friday, 9.00am to 5.00pm.

Steps we will take in future

We will continue to work with Blackbaud to investigate this matter. We are reviewing as a matter of urgency the contractual arrangements with Blackbaud, focusing on their current and proposed security measures for our data. We will also review as a matter of priority our ongoing association with Blackbaud.

We are very sorry for the concern and the invonvenience that this Blackbaud incident may have caused. Our University family means the world to us and we take extremely seriously anything which threatens to compromise you and our relationship with you.

FAQs

What has happened?

Blackbaud, the third-party supplier of our fundraising database and customer relationship management system, discovered a ransomware attach in May 2020. The cybercriminal removed data from its back up server during the attack, at some point between 7 February and 20 May 2020. We have been informed that data related to our donors was part of that. Blackbaud has advised that it worked with third parties, including law enforcement, and paid a ransom to ensure that the data the cybercriminal obtained was not shared any further and was destroyed, but we cannot verify this definitively.

What information was obtained?

The data contained personal information of our donors such as name, gender, and in some cases familial relationships, as well as contact details including postal addresses, email addresses and telephone numbers and for alumni, educational details such as degree subject and year of graduation. It may also have contained business details and engagement with the University of Aberdeen such as event attendance and details of meetings and/or correspondence with the University.

For a small number of donors who have donated by cheque or hard copy donation form, some financial-related information may have been involved.

I have made an online donation to the University of Aberdeen Development Trust, are my financial details safe?

Yes, financial information used to process online donations was not accessed as this information is fully encrypted.

Why was I not made aware of this sooner?

As soon as we were notified of the incident on 16 July, we launched an investigation to gather the information we needed to contact you.

Why was the Development Trust not made aware of this sooner?

Blackbaud has advised that they did not notify us sooner because they needed to: defend against the attack; conduct the subsequent investigation; take measures to address the issue that led to the incident; and prepare resources for its customers. We are investigating this further however.

What is the Development Trust doing?

We are reviewing, as a matter of urgency, the contractual arrangements with Blackbaud, focusing on their current and proposed security measures for our data. We have also made a formal report to the Information Commissioner's Office (ICO).

What is Blackbaud doing?

Blackbaud has advised that it has implemented several changes that will protect data from any subsequent incidents, but we await details on this and what else they plan to do in future.

Is the Development Trust going to switch supplier as a result of this?

We will review, as a matter of priority, our ongoing association with Blackbaud. Our donors mean the world to us and we take extremely seriously anything which threatens to compromise you and our relationship with you.

What can I do?

We recommend that you remain vigilant and report promptly any suspicious activity or suspected identity theft. Specifically, if you have donated by cheque or via hard copy donation form in the past we recommend that you review all financial transactions linked to your bank account and/or credit/debit card from 7 February 2020 onwards and contact your bank or card provider immediately if there is anything that you do not recognise. If you are unsure if this applies to you, please contact us on +44 (0)1224 272281 or at giving@abdn.ac.uk.

We also recommend that you review the information on how to stay safe online at the following websites:

Helpful guidance on action you can take against identity theft is available on the Information Commissioner's Office website: www.ico.org.uk/your-data-matters/identity-theft.

What if I think I have been adversely affected by this?

Please refer to the Information Commissioner's Office website at www.ico.org.uk/your-data-matters/identity-theft for guidance.

Who else has been affected by this?

Although we have not been advised officially, we understand a significant number of organisations have been affected globally.