Blackbaud Security Notice
Our Response to the Blackbaud Security Notice
At Flagler College, we strive to live up to our core value of citizenship with integrity, and this includes setting a high expectation of honesty, integrity, and responsibility. We are deeply committed to building a community of long-term trust. Below you will find our response to a data security incident involving one of our third-party service providers, Blackbaud, Inc.
Blackbaud is one of the world’s largest software companies and provides data management services for colleges and nonprofits nationwide, including Flagler College. Flagler College uses Blackbaud’s Raiser’s Edge NXT database to manage data related to alumni, donors, community partners, and friends of the College.
On July 16, 2020, Flagler College was informed that Blackbaud was the victim of a ransomware attack they discovered and stopped in May 2020. Before Blackbaud stopped the attack, cybercriminals managed to copy a subset of data from a number of clients in Blackbaud’s private cloud environment, including Flagler College.
Flagler College has reviewed the information provided by Blackbaud, and performed its own investigation in partnership with a cybersecurity firm to authenticate Blackbaud’s investigation process. After performing this investigation, we are publicly sharing details of the incident.
What information was involved?
Please be advised that no credit card information, bank account information, social security numbers, or academic records were involved in this incident. The Flagler College Raiser’s Edge NXT database contains contact information, select biographical information, and a record of engagement activities with the college.
The data involved in this incident may have included your contact information (name, address, phone, and e-mail), date of birth, gender, employment information, and a history of your past engagement with Flagler College (event attendance, philanthropy, volunteer activity).
Who did Flagler College notify of this incident?
Flagler College sent an e-mail to all members of the Flagler College community who may have been affected by this security incident. If you did not receive an e-mail notification, you did not have a record in Flagler College’s Raiser’s Edge NXT database as of May 31, 2020, or the record on file did not contain a valid e-mail address.
What should I do?
Blackbaud believes they have successfully retrieved the stolen data, and has implemented several changes to protect data from any subsequent incidents, such as accelerating plans to expand their data encryption. We do not believe any members of the Flagler College community need to take action at this time, but we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
What is Flagler College doing about the event?
Flagler College performed its own internal investigation, partnered with a third-party cybersecurity firm to authenticate Blackbaud’s investigation, and continues to work with other higher education institutions to make sure the full depth of the breach is understood.
Blackbaud notified its affected clients that they met the cybercriminal’s ransomware demand upon receiving assurance that all copies of the compromised data had been destroyed. A detailed investigation was undertaken by Blackbaud, and a law enforcement investigation is ongoing. Blackbaud also hired third-party cybersecurity experts to monitor the dark web indefinitely to ensure no evidence arises that data was released. If Blackbaud finds evidence, they will notify Flagler College, and we will update you as soon as possible.
We take your privacy very seriously at Flagler College, and we are exploring all options to ensure this type of breach does not happen again, including revisiting our relationship with Blackbaud. Should you have any questions or concerns, please contact Jay P. Kelly, Director of Advancement Services, at 904-819-6477 or JKelly@flagler.edu. We will continue to monitor this situation and provide updates as necessary.