Blackbaud data security incident

On Thursday, 16 July, we were made aware of a security incident involving one of our third-party service providers, Blackbaud.

Blackbaud is one of the world’s largest providers of customer relationship management systems for the higher education and not-for-profit sectors.

The company informed us that it had discovered and stopped a ransomware attack on its systems, although some data was compromised. A number of universities using its services have been affected, including the University of Sussex.

We have notified the Information Commissioner’s Office (ICO) of the incident, and whilst the risk it poses in terms of impact to you is low and below the threshold required, statutorily, to notify affected individuals, we wanted to make you aware. Blackbaud assures us that the compromised data did not contain any password, username, bank account or credit card information.

The compromised data contained biographic details (e.g. names, study, employment and contact details) and information pertaining to individuals’ relationship with Sussex, such as event participation and giving history, although not any bank account or credit card details.

We understand that this news may cause you some concern and we are sorry for any distress or inconvenience caused by what is criminal activity against one of our service providers.

Further details

Blackbaud has confirmed that they paid a ransom to the cybercriminal and received assurances that the compromised data was destroyed and not used or sold on to third parties. A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and independent cybersecurity experts. Blackbaud has also assured us that – based on the nature of the incident, its research, and investigation – it has no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly and that no bank account, credit card, username or password information was affected by the cyberattack.

Blackbaud has set out further details about the incident here.

Since receiving notification of this incident from Blackbaud, we have notified the Information Commissioner’s Office (ICO) of the breach and taken steps to inform you so that you can remain vigilant. We are continuing to work closely with the company to verify that all our data remains secure and are also seeking an explanation for the delay in Blackbaud informing us of this issue.

What do you need to do?

There is no need for you to take any action at this time.

If you would like to contact a member of the University of Sussex team, please contact us at dataquery@sussex.ac.uk and we will answer your query as soon as possible. As we are currently working remotely, if you would like to speak with someone from the team, please email us your contact number and we will call you back as soon as possible.

We deeply regret the inconvenience that this data breach by Blackbaud may have caused you. Please be assured that we take data protection very seriously and we are grateful for your continued support and engagement.