On July 16, 2020, Blackbaud, one of our third party service providers, notified us of a security incident. Upon receipt of the information from Blackbaud, we immediately started an internal due diligence investigation to understand what happened. The purpose of this posting is to inform our alumni and friends of the details of the Blackbaud incident.
Blackbaud is one of the world's largest providers of customer relationship management systems for not-for-profit organizations and a significant number of universities. We use their systems to record details of engagement with our alumni and friends. Blackbaud reported that in May of 2020, it discovered and stopped a ransomware attack. After discovering the attempted attack, Blackbaud's Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking system access and fully encrypting files; and ultimately expelled them from the system. However, the cybercriminal was able to remove a copy of a subset of data before being locked out, and we understand from Blackbaud that Marywood data was part of the incident, although it may not have been contained within the compromised dataset.
In its July 16, 2020 notice, when Blackbaud identified the data subset, we began evaluating the information. From our review, we determined that the compromised data may have included contact information, demographic data, and a history of our alumni and friends’ relationships with Marywood, including philanthropic giving. Blackbaud has advised that no credit card or bank account information was compromised in this incident. There were a limited number of instances where Social Security numbers may have been contained within the compromised dataset. Marywood provided notifications directly to those individuals as required by law. Marywood does not currently collect or store Social Security numbers. The Social Security numbers found in the dataset were from older data collected prior to the implementation of the current policy against collecting or storing Social Security numbers.
We have been informed that in order to protect customers' data and mitigate potential identity theft, Blackbaud paid the cybercriminal's ransomware demand in return for confirmation that the copied data had been destroyed. Blackbaud states based on the nature of the incident, their research, and third party (including law enforcement) investigation, they have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. However, Blackbaud retained a third party security firm to monitor dark web activity for any sign of information from the incident. Likewise, out of an abundance of caution, Blackbaud recommends that Marywood alumni and friends review account statements carefully for any unusual activity.
We continue to actively monitor this situation and follow-up with Blackbaud to ensure that Marywood data is not at risk. We are not currently aware of any likely negative consequences to our constituent community.
Marywood’s contractual agreements have always required Blackbaud to keep our constituent information confidential and to have security procedures in place to minimize the risk of information security incidents. Marywood greatly values the support and generosity of our alumni and friends. We take the privacy of our alumni and friends very seriously and we work diligently to protect your personal information. If you have questions, please contact Renée Zehel, Vice President of University Advancement, at 570-348-6238 or firstname.lastname@example.org.
Thank you for your dedication and support. We are grateful.