Security incident: Blackbaud 2020

The Catholic University of America takes the protection and proper use of donor information seriously, and so we believe it important to notify you of a data security incident that affects some members of our University donor community.

In late July, the University received notice from Blackbaud, our Advancement data management software vendor, of a security attack on its systems between February and May 2020. Blackbaud was hacked in an attempted ransomware attack. The incident affected cloud-hosted systems operated by Blackbaud, the leading international software and service provider for non-profit organizations, foundations, institutes of higher education, and faith communities. We are one of hundreds of organizations Blackbaud has advised whose data was affected by this security incident. Catholic University stores a very small portion of our donor data in the cloud. Most of it is stored on secure servers on our campus.

Blackbaud has informed us that cybercriminals attempted to lock organizations such as us out of their own data and servers to maliciously interrupt business. Blackbaud's Cyber Security team — together with independent forensics experts and law enforcement — successfully prevented these cybercriminals from blocking system access and fully encrypting files, and ultimately expelled them from its system. However, prior to locking the cybercriminals out, the cybercriminals removed a copy of a small subset of data from Blackbaud's environment.

Blackbaud has assured us that the cybercriminals did not gain access to credit card information, bank account information, or Social Security numbers. In any case, Catholic University Advancement, by policy, does not store this information in the database. However, the data accessed included names, addresses, dates of birth, donor engagement information, and each donor's total giving to Catholic University. We believe approximately 90,000 of our 245,000 records were affected. Blackbaud's investigation (including law enforcement) concluded that the data acquired by the cybercriminal was destroyed and that the data likely will not be misused, disseminated, or made public.

The University is posting this out of an abundance of caution and to provide our donors the opportunity to better protect themselves from cybercrime. We have engaged internal and external cybersecurity professionals in conversations with Blackbaud about this serious matter and its handling of data. We will continue to monitor the situation and may provide updated notifications as new information dictates. Under these circumstances, we do not believe you need to take any action. If you have questions, please contact us at cua-blackbaud-security-incident [at] cua.edu (cua-blackbaud-security-incident[at]cua[dot]edu).

Sincerely,

Scott Rembold
Vice President for University Advancement