search
search

Blackbaud Data Incident: FAQs

What happened?

On July 16 we learned from Blackbaud, the company that provides data hosting services for our Office of Philanthropic & Alumni Engagement that it had experienced a security incident impacting Pitt-Bradford and many other non-profit, educational, and healthcare organizations across the US and globally. 

Here is what Blackbaud has told us:

  • They discovered and stopped a ransomware attack on their computer systems. 
  • After discovering the attack, Blackbaud’s cybersecurity team—together with independent forensics experts and law enforcement—successfully contained the attack and prevented the cybercriminal from further compromising their systems. 
  • However, before being locked out, the cybercriminal removed copies of customer data files—including files containing information about Pitt-Bradford’s alumni and donors. 
  • Blackbaud paid the ransom demand and they received confirmation that all data the criminal obtained was destroyed and not misused in any way.
  • Based on the nature of the incident and consultation with experts including law enforcement, investigation, Blackbaud strongly believes—in their words--that none of data removed from their system “went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.”

When did this occur? 

This occurred between February and May 2020. Pitt-Bradford received notice of the event from Blackbaud on July 16th. 

What information was involved?

The information in the data sets involved in this incident varies from person to person. We believe it may have contained information in these categories:

  • Name, title, gender, date of birth and student ID number; 
  • Addresses and contact details e.g. phone, e-mail, street address;
  • Degree received from Pitt-Bradford and year of graduation; 
  • A record of your participation in alumni and fundraising activities; 
  • Professional and employment information.

For a few individuals, bank or credit card information or social security numbers may be been affected. If you are one of those individuals, you will receive a separate notice from Pitt-Bradford about that.

What information was not involved?

  • For most people, credit card or bank account information and any social security numbers were not accessible to the cybercriminal [because that information was stored in encrypted or redacted format]. 
  • For a few individuals, bank or credit card information or social security numbers may be been affected. If you are one of those individuals, you will receive a separate notice from Pitt-Bradford about that.

Has my information been misused? 

Blackbaud has stated—and reaffirmed—that they have no evidence of any misuse or distribution of the information potentially affected by this incident. Blackbaud believes the cybercriminal was only interested in the ransom payment and the data was destroyed when the ransom was paid. Since we have no way to be certain, we are providing this information to you solely out of an abundance of caution.

What is Pitt-Bradford doing about the situation?

We have assembled an incident response team including Pitt-Bradford staff from the Office of Philanthropic & Alumni Engagement, the IT Department, and the Privacy Officer from Pitt’s Pittsburgh Campus. Our priorities are:

  • Determining how members of our Pitt-Bradford community may have been impacted by this incident.
  • Communicating with our community members about this incident.
  • Ensuring we comply with all relevant regulations and laws relating to cyber-security incidents.
  • Evaluating the information from Blackbaud about the security measures they have taken in response to this attack and the additional safeguards they will deploy to strengthen their security.

How many people are affected?

We do not know and likely will never know for sure exactly whose information may have been involved. That’s why we are alerting everyone about what happened.

What is Blackbaud? What does it do for Pitt-Bradford? 

Blackbaud is a major worldwide provider of internet-based software and hosting solutions to universities, schools, charitable organizations, faith organizations, foundations, healthcare organizations, and other nonprofits. 

  • They provide financial and customer-relationship management software solutions. We use the software to keep track of contacts with our community of support and record donations, along with other related functions.

How many organizations are affected?

We understand from news reports that many of Blackbaud’s other customers were affected in the same way as Pitt-Bradford. We don’t know for sure, but the number is well over 100.

Have the police been/local authorities been notified? 

Blackbaud has stated that they involved law enforcement in responding to this attack. We have not notified law enforcement because this attack did not affect the Pitt-Bradford computer system.

Why didn't you tell affected individuals about the loss of the data sooner?

We are alerting the Pitt-Bradford community as soon as possible after receiving notice from Blackbaud on July 16 and starting an investigation of our own to understand how our information was affected. We conducted an initial review of the information about the incident so we could be as accurate as possible in communicating with our community. 

Why didn’t Blackbaud tell Pitt-Bradford sooner?

Blackbaud explained the timing of their notice to us and in their public announcement. Blackbaud said that when they recognized the attack, their first priority was to mount a defense to block the cybercriminal’s attempt to encrypt all the data files Blackbaud manages for its customers and expel them from their system. Then they undertook an investigation with the assistance of independent cybersecurity experts and law enforcement to determine the scope of damage and assess what information was impacted. 

What is Blackbaud doing to prevent this kind of loss from happening again? 

Blackbaud advises that it has taken a number of immediate and longer-term measures to prevent this kind of loss from happening again. Blackbaud conducted vulnerability testing and implemented remediation solutions to enhance network access controls, anti-virus protections, monitoring solutions, and file encryption solutions.  Blackbaud said they are also investing in enhancements to their cyber security program including ongoing vulnerability testing and proactive remediation. 

What are the risks of identity theft? 

We understand that Blackbaud as well as independent cybersecurity organizations are continuing to monitor the dark web for any indication that the information relating to this attack was disseminated. 

Is there anything I need to do to in response to the exposure of my personal information? 

If you are one of the individuals whose sensitive information was possibly exposed, we will contact you directly with more information. By sensitive information, we mean social security, bank account, or credit card numbers.

If we do not contact you about your specific information, you may want to consider taking advantage of the free fraud alert and credit freeze services offered by the three major credit bureaus. Placing fraud alerts will help protect your credit. In addition, you can obtain copies of each of your credit reports at no cost to you. Pitt-Bradford’s communication to you contained website links to some information about how to start that.

How can I have my information removed from Pitt-Bradford’s system?

We are unable to remove your information from the system, but we are working to protect your information from these risks.

If there are any updates about this Blackbaud incident, how will I be notified?

If we have any updates about the Blackbaud incident, we will send you a follow-up email and we will also share updates on our website. 

Who should I contact if I have further questions? 

Please call us at 814-362-5091 if you have more questions or concerns.