Notification of Blackbaud Security Incident
Dear P.G. Chambers School Community,
On Thursday, July 16, 2020, P.G. Chambers School was notified by Blackbaud, a globally-trusted, cloud-based data management provider used by countless schools, colleges, and non-profit organizations for financial and fundraising management, that it discovered and stopped a ransomware attack that occurred in May 2020. P.G. Chambers School received this notification because Blackbaud is one of our third-party service providers relating to development matters.
Although this ransomware attack was against Blackbaud and not P.G. Chambers School, we want you to know that we take the protection and proper use of your personal information very seriously. As a result, we have decided to notify you regarding this Blackbaud incident. We have detailed below the steps that Blackbaud advises were taken to remediate any potential impact related to the incident.
Our understanding is that when Blackbaud became aware of the ransomware attack, Blackbaud’s Cyber Security team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking their system access and fully encrypting files. Ultimately, the ransomware was expelled from Blackbaud’s system.
However, before Blackbaud locked out the ransomware, the cybercriminal removed a copy of our backup file containing some of your personal information. This occurred at some point beginning on February 7, 2020, and the cybercriminal could have been in the Blackbaud system intermittently until May 20, 2020.
According to Blackbaud, the cybercriminal did not access any credit-card information, bank-account information, Social Security numbers, usernames, or passwords. However, it is important to note that P.G. Chambers School has never housed such information on Blackbaud’s database any way, and we will not house such information in the future either. It has been determined, though, that the backup file that was removed may have contained your contact information (name, phone number, address, and/or email address) and donor history. Because protecting customers’ data is a top priority, Blackbaud has stated that they paid the cybercriminal’s demand, with confirmation that the copy removed had been destroyed. Based on the nature of the incident, Blackbaud’s representations to us, and the findings of the third-party (including law enforcement) investigations, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
As part of its ongoing efforts to help prevent something like this from happening again, Blackbaud informed us it has already implemented several changes that will protect your data from any subsequent security incident. According to Blackbaud, they were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. Through testing by multiple third parties, including the appropriate platform vendors, it was represented to us that the vulnerability and access to the information by the cybercriminal was remedied to withstand any future attack ploys.
We have made clear to our Blackbaud representatives how disappointed we are that this happened at all and that it took so long for them to notify their client institutions. (We were not the only school affected.)
Although it does not appear that any of P.G. Chambers School’s donors’ confidential information was compromised, as a best practice, we recommend that you always remain vigilant monitoring your identity and accounts. Please report any suspicious activity or suspected identity theft to the proper law-enforcement authorities.
If you have any questions or concerns regarding this matter, please contact Kathleen DeSantis, Director of Development at 973-829-8484 ext. 109 or at DeSantisK@chambersschool.org.
We recognize that Blackbaud’s security incident is concerning and results in inconvenience for not only P.G. Chambers School but also you – our valued donor and partner in our mission – and for that, we sincerely apologize.
Patty Sly, Executive Director