Blackbaud incident

Virginia Commonwealth University is proud of the trust and support that our alumni and friends show the university and its health system. We are committed to transparency, honesty and the protection of the personal data that we maintain. On July 16, the university learned of a global data security incident at Blackbaud. Blackbaud is a vendor that provides data hosting services globally for hundreds of universities and nonprofits. VCU uses Blackbaud-hosted services for our development and alumni relations activities and is one of many universities and nonprofits affected by this incident worldwide.

The information compromised during this incident was primarily demographic in nature: name, address, contact information, degrees obtained at VCU, board service and philanthropic giving history. It is important to point out that VCU does not store any credit card information, bank account information, private health information or Social Security numbers in this database, so this information was not compromised in any way. VCU does not believe the information involved in this incident can be used for identity theft or financial fraud.

Based on the nature of the incident, the research performed by the service provider and third-party and FBI investigators, Blackbaud has stated there is no reason to believe any data involved in the breach went beyond the cybercriminals; was or will be misused; or will be disseminated or otherwise made available publicly. Blackbaud has hired a third-party team of experts to continue indefinite monitoring for any such activity.

Based on the facts known to date, we do not believe you need to take any additional safeguards for your information. As a best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

We very much hope you receive this update in the transparent spirit it was drafted, and we regret any worry or other inconvenience the Blackbaud data breach might have caused. If you have any questions or concerns, please visit Blackbaud’s notice or contact us at blackbaudinfo@vcu.edu or (804) 827-2937.

FAQ

What is VCU’s relationship with Blackbaud?

VCU has contracted with Blackbaud, for constituent relationship management services. This system is used to record engagement by the Office of Development and Alumni Relations with members of the VCU community, including alumni, donors, staff and students, and extended networks.

What exactly happened in this incident?

Blackbaud discovered and stopped a ransomware attack involving many of its clients, including VCU. After discovering the attack, Blackbaud’s cybersecurity team, together with independent forensics experts and law enforcement (including the FBI), blocked the cybercriminals from doing additional damage. The cybercriminals, however, successfully removed a back-up copy of files containing some personal information of our constituents.  Blackbaud paid the cybercriminal a ransom to ensure the backup file was permanently destroyed. Read Blackbaud’s notice for more specifics.

What personal data was compromised?

The files accessed contained the following data fields, but this data was not obtained for every person in the database:

  • Demographic details such as name, title, gender, date of birth and student number
  • Addresses and contact details such as phone, email and LinkedIn profile URL.
  • Course and educational attainment details, including what qualifications received and some extracurricular opportunities tracked
  • A record of your engagement with alumni and fundraising activities, such as event participation, volunteer service, donations and any other interactions you have with Development and Alumni Relations.
  • Professional details, including your profession and employer.
  • Information about your interests you have provided to VCU.
Was my credit card, bank account or social security number stolen?

No. VCU does not store bank account or social security information with Blackbaud. If you have made a credit card or ACH transaction with Development and Alumni Relations, the payment processing vendor, authorize.net, stores that information for a period of time before the data is deleted. If you have authorized a recurring payments, the information is securely stored for the period of that commitment.

Am I at increased risk for identity theft because of this incident?

No. Because VCU does not collect data elements needed for identity theft and financial information is not stored by Blackbaud, this incident will not elevate your risk of becoming a victim of identity theft. We do advise, however, that our constituents follow best practices in protecting their identity, such as monitoring of the annual free credit report at annualcreditreport.com.

What steps has Blackbaud taken to prevent this from happening again?

Over the past five years, Blackbaud has built a substantial cybersecurity practice with a dedicated team of professionals. Independent reviewers have evaluated the program and determined that it exceeds benchmarks for both the financial and technology sectors. Blackbaud follows industry-standard best practices, conducts ongoing risk assessments, aggressively tests the security of its solutions and continually assesses its infrastructure.

How to check and report any credit oddities?

We encourage you check and report any oddities on your credit report to one of these agencies:

  • Experian (888) 397-3742
  • Equifax (800) 685-1111
  • TransUnion (888) 909-8872
  • Innovis (800) 540-2505