Notice of a Data Breach from Blackbaud
On July 16, Glenlyon Norfolk School was notified by Blackbaud that they had been the target of a data security incident involving cybercriminals in May 2020.
On July 16, Glenlyon Norfolk School was notified by Blackbaud that they had been the target of a data security incident involving cybercriminals in May 2020. Our Student Information System was not involved.
Blackbaud is one of the world’s largest providers of education administration, fundraising and financial management software for nonprofits and GNS was one of many organizations impacted by this cyber-attack. GNS uses several of Blackbaud’s products to manage constituent and organization data, and to communicate with various members of our community. These include Financial Edge (FE) and Raiser’s Edge (RE), which were the focus of the attack. The Student Information System that parents, students, and faculty log into was not part of the data breach, nor was the payment processing system we use for our event and donation forms.
Blackbaud informed us that through social engineering, a user at one of their data centres had been the victim of a ransomware attack, which allowed a cybercriminal to remove a copy of some of the data from a number of their clients, including FE and RE data belonging to GNS, and hold it until payment was made. Blackbaud has advised us that it paid the ransom and has also assured the school that the cybercriminal destroyed the copied data—a point which has been verified and continues to be monitored by third party investigators (including law enforcement). Blackbaud has upgraded their security protocols to minimize the risk of a future breach.
Blackbaud has reassured us that the cybercriminal was unable to access any credit card or bank account information, usernames, or passwords because these are encrypted. However, the data may have contained information such as name, date of birth and contact information, as well as donor or engagement history with the school. However, based on the nature of the incident, Blackbaud's research, and ongoing third party investigation, we have no reason to believe that any data went beyond the cybercriminal, that it was or will be misused, or that it will be disseminated or otherwise made available publicly.
The privacy of all our constituents and their information is of the utmost importance to us. These are the steps we are taking to protect our community:
After notifying GNS of the data breach, Blackbaud offered to move our Financial Edge and Raiser’s Edge databases to a different, more secure server system. We are in the process of doing this now.
We have created a GNS task force to address the issue.
We are immediately notifying all affected parties directly.
We have informed the Office of the Information and Privacy Commissioner of British Columbia and will continue to work closely with their office.
We are working closely with Blackbaud to understand why this happened and what actions they are taking to increase their security.
We take information security very seriously, and we regret any inconvenience this may cause any member of our community. GNS remains in regular contact with Blackbaud regarding the details of this incident, and we are continuing to monitor their response. If you have any immediate questions or concerns, please contact email@example.com.