Statement about Blackbaud data security issue affecting Aberystwyth University
25 July 2020
The University has been informed by the company that operates the Alumni web portal and information management system for our alumni and supporter e-newsletter on our behalf, Blackbaud*, that it has been the subject of a criminal cyberattack. As part of this cyberattack, Blackbaud has confirmed that the personal data of some of our alumni and supporter community may have been accessed. No student or staffing data is affected.
The details that were exposed during the cyberattack included a range of personal information that relevant users have provided. However, Blackbaud has offered repeated assurances that bank account and credit card details have not been accessed. The company has also informed us that it has reported this breach to the Information Commissioner’s Office.
We apologise for any concern it may cause, and we have contacted users of Aberystwyth University’s Aber Alumni online portal and recipients of our alumni/supporters e-newsletter who may have been affected. We alerted these individuals at the earliest opportunity after being informed of the potential impact of the incident.
We take data security extremely seriously, and we are urgently investigating this incident. We will issue further updates should that be necessary as more information becomes available.
Aberystwyth University is one of a number of UK universities that have been affected by this ransomware attack. Blackbaud has stated that it is confident that the stolen data has now been deleted and not used or sold to third parties. Blackbaud has also stated that it has deployed additional measures to mitigate the adverse effects of the breach and to ensure the ongoing security of data that they host on our behalf.
What happened
Blackbaud has confirmed to us that they discovered and stopped a ransomware attack, whereby a copy of our backup file was accessed. This file contained personal information. This occurred between 7 February, 2020 and 20 May, 2020.
What information was involved
It is important to reiterate that Blackbaud states clearly that no credit card or bank account information was accessed.
For the majority of our users, the information exposed is understood to be names and email addresses. However, for some individuals the backup file may have contained details such as name, date of birth, contact information (phone number, postal, email address), and relationship history with the University (donation dates and amounts, degree subject and period of study).
What relevant users can do
We have notified those who we believe may have been affected so that they can remain vigilant and promptly report any suspicious activity or suspected identity theft to the police.
Once again, we would like to sincerely apologise for any concern that this may cause. We are working with the University’s Data Protection Officer and all affected UK universities. We are seeking further assurances from Blackbaud regarding this incident and their security measures. We have also notified the Information Commissioner’s Office (ICO) of the breach.
* Please note that the company Blackbaud is not associated with the University's online teaching platform, which is called Blackboard.