SRU alumni and donors can rest assured that no financial data was compromised, but officials still suggest they monitor their credit reports.
An email sent Friday morning by SRU Advancement Services said Blackbaud, Inc. notified them July 16 of an attack that encrypted numerous databases stored by the company.
Nicholas McIntire, director of advancement services, said information contained in the database was mostly public record information like names, addresses and phone numbers.
On a webpage published by the SRU Foundation to provide those affected with details of the attack, educational records is listed as potential data exposed. McIntire said information in this category is only that donors attended SRU.
While information like donation amounts is also included in the data, McIntire insists that no credit card or bank information was involved. He added that no personal identifiable information like social security numbers were involved.
Still, officials suggest those that may be affected utilize free credit monitoring services like Credit Karma or Experian.
Blackbaud said in a press release after discovering the intruder that they immediately locked them out, but not before they were able to copy and encrypt some data. Files stolen by the attacker were destroyed after the company paid an unspecified ransom.
“Because protecting our customers’ data is our top priority, we paid the cyber-criminal’s demand with confirmation that the copy they removed had been destroyed,” the press release said.
After third-party review of the attack, including law enforcement, the company said they “have no reason to believe that any data went beyond the cyber-criminal, was or will be misused.”
The Rocket reached out Blackbaud for further comment on the attack but did not receive a response prior to publication.
According to Blackbaud’s website, the company – headquartered in South Carolina – provides cloud software solutions for organizations in the nonprofit, education and healthcare industry around the globe.
Officials with SRU said it took two weeks after being told about the attack to reach out to donors because they wanted to talk with Blackbaud directly.
“You want to gather as much information as possible,” said Dennis Washington, vice president for university advancement.
Washington said they reviewed the breach with PASSHE’s legal department to find out what their reporting requirements were. He said there is an obligation to their donors to be transparent about breaches like this even when sensitive data is not involved.
Not all of the 59,000 donors and alumni listed in the database were able to be reached by email so postcards are being sent out next week to notify them of the breach, McIntire said.
