Notice of Data Breach from a Third-Party Service Provider
We were notified July 16, 2020, by one of our third-party service providers, Blackbaud, of a security incident. At this time, we understand they discovered and stopped a ransomware attack that took place between February 7, 2020 and May 20, 2020. After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of our backup file which may have contained certain elements of your personal information but did not contain any credit card or banking information.
Who Is Blackbaud
Established in 1981 and a NASDAQ traded company, Blackbaud is a cloud computing provider that serves the social good community such as nonprofits, healthcare, religious organizations as well as educational institutions. They offer a wide range of systems, including fundraising and constituent relationship management platforms. While we are always looking for the best products to serve our school, Blackbaud has long been considered a field leader and BSS has used their products for 21 years.
What Information Was Involved
It’s important to note that the cybercriminal had no access to credit card information or bank account information because this data was strongly encrypted within the Blackbaud system. However, we have determined that the file removed may have contained your contact information, demographic information, and a history of your relationship with our school, including donation dates and amounts.
Because protecting customers’ data is their top priority, Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.
Based on the nature of the incident, Blackbaud’s research, and third-party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing
Ensuring the safety of our constituents’ data is of the utmost importance to us. As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud has already implemented several changes that will protect your data from any subsequent incidents.
First, Blackbaud’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and have taken action to fix it. Blackbaud has confirmed through testing by multiple third parties, including the appropriate platform vendors, that the fixes applied withstand all known attack tactics. Additionally, Blackbaud is accelerating efforts to further harden their environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms. BSS is monitoring their progress.
While the data breach did not occur on BSS-hosted systems, it is always our priority to protect the data you entrust us with no matter where it resides. The security of BSS systems and infrastructure has continuously been a priority, along with our commitment to ongoing investment and improvement. As such, we have conducted an externally run Vulnerability Test of our campus network and associated systems hosted on campus and in our co-location. We have also hired qualified Cyber Security experts to further review our data security, including those hosted with third-party vendors. We are contacting the Office of the Privacy Commissioner (Government of Canada) to submit a notification.
What You Can Do
It is always good practice to change your passwords and remain vigilant.
Should you have any further questions regarding this matter please do not hesitate to contact Mary Anne Van Acker, Assistant Head, Innovation Development and Technology at The Bishop Strachan School by email at email@example.com.
Head of School
Mary Anne Van Acker
Assistant Head, Innovation, Development and Technology