Northwood University was informed by Blackbaud, one of the world’s largest providers of education, administration, fundraising and financial management software for non-profits, that they have experienced a data security incident that may have involved your personal or organization’s information. Northwood University was just one of many nonprofits affected by this attack. Though Blackbaud, law enforcement officials, and third-party security experts believe that no information went beyond the cybercriminal, Northwood University’s commitment to transparency and ethics leads us to inform you of the event.
What Happened
On Thursday July 23, 2020, Northwood University representatives attended a closed virtual session with Blackbaud, to learn details of a ransomware attack on Blackbaud. This attack occurred in May of 2020. The cybercriminal removed data to purposely extort funds from Blackbaud. After Blackbaud was able to discover the attack, Blackbaud’s Cyber Security team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of Blackbaud’s backup file containing personal information of many individuals from nonprofits throughout the world. After working with Blackbaud, Northwood’s legal counsel, and Northwood’s Information Technology team, a public post was made to Northwood’s home page on July 30, 2020.
What Information Was Involved
Northwood University’s work with Blackbaud thus far, has determined that the cybercriminal did not access your credit card information, bank account information, or social security number. However, the file removed from Blackbaud may have contained your basic details (e.g. name, title, gender, date of birth); addresses and contact details (e.g. past and present addresses, phones, emails); professional details (e.g. your employer and/or position); and a history of your relationship with our organization, such as degree(s) attained, donation dates and amounts, or engagement activities (e.g. event participations or records of engagement with Northwood University).
To protect your information, Blackbaud paid the cybercriminal’s ransom demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud advises they have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What Will Change
Blackbaud has already implemented several changes that will protect your data from any subsequent incidents. Blackbaud has identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to secure their system. Blackbaud has always met and exceeded industry security standards.
Blackbaud believes their improvements withstand all known attack tactics. Additionally, Blackbaud will accelerate efforts to further harden their environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms. Additionally, Blackbaud has committed to indefinitely monitor the “dark web” to assess if any further risks ever arise.
Northwood University’s Information Technology team in cooperation with Advancement and Alumni Relations will continue to work with Blackbaud on this matter, monitor and review security enhancements provided by Blackbaud, and engage in the proper due diligence to determine any necessary changes to our database provider.
Moving Forward
As a best practice, Northwood University recommends vigilance and that you promptly report any suspicious activity or suspected identity theft to the proper authorities.
The Northwood Idea and Northwood University’s Code of Ethics encourages integrity and transparency, and our philosophy reinforces the decision to share this important information with you. Northwood University friends and alumni are important to Northwood’s mission to develop the future leaders of a global free-enterprise, society and we value the investments you make in Northwood University and the trust you place in us to look after your data.
Should you have any further questions or concerns regarding this matter, please do not hesitate to contact Northwood University at .
Sincerely,
Justin W. Marshall
Vice President of Advancement and Business Development
Davis Yost
Associate Director of IT Security