The fundraising arms of Valley City State University, the University of North Dakota, North Dakota State University, and Minot State University are notifying alumni and friends via mail and email this week of a security incident at a third-party vendor used by all four.
Blackbaud, Inc., provides a variety of specialized customer relationship management products to universities and nonprofits around the world, including the Valley City State University Foundation, the University of North Dakota Alumni Association and Foundation, the North Dakota State University Foundation, and the Minot State University Development Foundation.
Blackbaud informed its client organizations in mid-July that its systems had been the target of a ransomware attack earlier in 2020. The cybercriminals removed backup files from Blackbaud’s platform, which hosted data for most of Blackbaud’s clients. Blackbaud paid the threat actor’s ransom demand and received assurances that the files taken from its system were destroyed. The company has hired third-party experts to monitor for any activity that would indicate the data had been disseminated. It has found no such evidence.
At this time, based on the information provided by Blackbaud, the four North Dakota university organizations have no reason to believe any data will be misused, disseminated or otherwise made publicly available. Information removed by the threat actor may have contained name, address, date of birth, and, in some cases, giving histories. Sensitive personal data like financial account information and payment card information that are likely to lead to identity theft and encrypted Social Security numbers were NOT involved in this incident and, in most instances, are not stored in the databases of the four foundations.
Based on the limited data that was involved, the four North Dakota university foundations are only legally required to notify those in North Dakota and the State of Washington about the security incident, but in the spirit of transparency and an abundance of caution, each is notifying others in their databases as well.
Each of the foundations involved understands the tremendous responsibility of protecting the data they hold and regrets any inconvenience that may be caused by Blackbaud’s security incident. Each also hosts detailed information about the incident and advice on protecting oneself from identity theft on their respective websites. That information can be found by clicking here.