Blackbaud data incident: important information
We have been informed by Blackbaud, the world’s largest provider of not-for-profit database management software, that a recent data security breach involved information on alumni, donors and other related groups from the University of Auckland.
We believe the situation has been resolved, and that you do not need to take any action in response to this incident.
In May 2020, Blackbaud was the victim of a cyberattack that attempted to encrypt their systems. Although their cybersecurity measures intercepted the attack, the cybercriminal responsible was able to take copies of information belonging to a large number of universities and charities around the world. We understand that this included information from the University of Auckland. Although the encrypted data included contact details and dates of birth as well as information regarding donations and engagement with the University, it did not include passwords or credit card details.
To protect the stolen data Blackbaud negotiated and paid a ransom to the attacker in return for an assurance that the data would be destroyed and no copies of the data would be distributed or retained.
What have we done in response to the breach?
Once alerted to the breach by Blackbaud, the University took steps to assess the impact on the individuals affected. We have assessed the likelihood of harm to individuals as a result of this event as low for the following reasons:
- Blackbaud conducted a full examination of the breach (including involving law enforcement agencies).
- Blackbaud informs us that the backup database was encrypted.
- Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused or will be disseminated or otherwise made available publicly.
The University has also taken the following steps:
- Informed the Office of the Privacy Commissioner of the data breach and the response by Blackbaud and the University of Auckland.
- Alerted all University of Auckland alumni, donors and other affected groups to the incident and the steps taken to resolve it.
- Posted information about the data breach and the response on the University’s main public website (this notice).
We are confident that the incident has been successfully resolved, however we urge you to remain vigilant for any unusual activity.
We take your privacy seriously. If you have any questions regarding this incident, please contact us:
By phone: +64 (0) 9 923 5025
By email: firstname.lastname@example.org
Professor Jenny Dixon
Deputy Vice-Chancellor, Strategic Engagement