Cyber-thieves apparently made a ransomware attack; attack discovered but not before some of donor/alumni data was exposed
The Yavapai Community College Foundation was recently made aware that its third-party vendor, Blackbaud, who stores alumni and donor data, “discovered and stopped a ransomware attack, but not before some of its data was exposed.”
The data possibly taken by the cyber-thieves was that of donors and alumni.
The ransomware attack occurred between February 7, 2020, and May 20, 2020. On July 16, 2020, Blackbaud, Inc. notified the Foundation that it had experienced the ransomware attack.
Following below is a statement from the Director of the Foundation that contains details of the incident. It was obtained by the Blog August 19, 2020.
In keeping with our commitment to transparency, the following notice is being provided to all Yavapai College Foundation constituents who may be potentially affected by a data breach.
Yavapai College and the YC Foundation were recently made aware that one of our vendors experienced a data security incident that involved information related to our alumni and donors. We take information security and the proper use of any information we collect very seriously. The information below explains the incident and data involved (as explained to us), and best practices on what you can do to protect yourself.
What Happened?
On July 16, 2020, Blackbaud, Inc. notified us it had experienced a security incident. Blackbaud is one of the largest providers of customer relationship management systems and is used by 25,000 non-profits and higher education institutions worldwide.
Presently, our understanding is that the vendor discovered and stopped a ransomware attack, but not before some of its data was exposed. According to Blackbaud, the bad actor obtained the data to extort funds from the company. This incident occurred sometime between February 7, 2020, and May 20, 2020.
Blackbaud has been working with law enforcement, and they believe the data has been destroyed by the cybercriminal, and no data was shared with other parties. The company has retained the services of data security experts to monitor the dark web as a precautionary measure and reports it has not seen any indication of the data being shared on that medium. Blackbaud’s official statement may be viewed at https://www.blackbaud.com/securityincident (please note that this link will take you to the Blackbaud website). The vendor has put in place measures to prevent something like this from happening in the future.
What Information was Involved in the Incident?
Blackbaud informed us that the cybercriminal did not access credit card information, bank account information, or social security numbers. However, the data may have contained general information such as names, contact information, and relationship history (e.g., gift history, membership information) with the YC Foundation.
What is Yavapai College and the YC Foundation doing?
We are notifying you out of an abundance of caution. The safety of your data is of the utmost importance to us. We are working with Blackbaud as it investigates the issue further so we can properly understand what information has been potentially exposed. Because of the number of institutions involved, it has taken the vendor additional time to share specific details with each entity. We will share further information with impacted constituents as needed and appropriate.
What can you do?
We consider this incident as another reason for you to remain vigilant and monitor your accounts for suspicious activity. Also, we would recommend heightened awareness related to email phishing campaigns. Please note that Yavapai College and the YC Foundation will not ask for any sensitive information via an unsolicited email or phone call. For your convenience, a list of helpful resources is below:
How to Recognize and Avoid Phishing Scams
- https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
- https://www.occ.gov/topics/consumers-and-communities/consumer-protection/fraud-resources/phishing-attack-prevention.html
10 Things You Can Do to Avoid Fraud
Credit Reports
- You can obtain a free copy of your credit report from each of the three major credit reporting agencies once every 12 months at http://www.annualcreditreport.com, calling toll-free 877-322-8228, or completing an Annual Credit Report Request Form and mailing it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348.
More Information
The protection of your information is taken very seriously by the YC Foundation. Please know that this data breach wasn’t the result of the YC Foundation’s carelessness or neglect, but rather a cyber attack on our database vendor.
We are sorry this incident involving our vendor occurred and regret any inconvenience it may cause you. Hopefully, your trust and support of the Foundation is reassured due to our prompt response and transparency.
Should you have any further questions or concerns regarding this matter, please contact the YC Foundation at [email protected].
Regards,
Paul Kirchgraber
Executive Director
Yavapai College Foundation