The information below relates to a data security incident with a third-party service provider of Robert Gordon's College. We believe it involves a number of UK and US healthcare, educational and not-for-profit organisations, as well as Robert Gordon’s College data.
We take our data protection responsibilities very seriously. We immediately launched our own investigation and further details are below, including the steps we have taken in response.
On 16 July, we were contacted by Blackbaud, one of the world’s largest providers of database management systems for not-for-profit organisations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack between February and May 2020. Prior to being locked out of their systems, the cybercriminal was able to remove a copy of a subset of data from a number of Blackbaud’s clients. This included Robert Gordon’s College data.
We use this system to record engagement with members of the Gordonian community, including alumni and supporters.
We would like to reassure our community that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts. Blackbaud has confirmed that the investigation found that no encrypted information, such as credit card information, bank account details or passwords, was accessible.
What information was involved?
The data accessed by the cybercriminal may have contained some of the following information:
- basic details e.g. name, title, gender, date of birth;
- addresses and contact details e.g. phone, email;
- educational details;
- a record of your engagement with alumni and fundraising activities e.g. enquiries, event participation, volunteering, giving history, and any other interactions you have with Robert Gordon’s College;
- professional details, e.g. job title and your employer; and
- information about your interests that you have provided to us.
What are we doing about the situation?
We have been informed that in order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed.
Blackbaud has engaged security experts to search for misuse of the data and they have informed us that no evidence has been found of this; they are also monitoring the dark web looking for any traces of the data affected in this incident. You can read their response on the Blackbaud website.
However, we have immediately launched our own investigation and have taken the following steps:
- We are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant;
- We have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance;
- We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected;
- We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.
There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
If you would like to speak with a member of the team at Robert Gordon's College regarding the Blackbaud update, please contact us.