Sarah Lawrence College Responds to Blackbaud Security Incident

Dear Members of the Sarah Lawrence Community,

We hope you and your family are healthy and well in these uncertain times. As a college, a core tenet of our philosophy is transparency and open communication. For that reason, we are writing to let you know about a data security incident at an outside vendor that may have involved some of your personal information. Sarah Lawrence College has a contractual relationship with Blackbaud, one of the world’s largest providers of customer relationship management systems, serving more than 35,000 clients around the world in the nonprofit and higher education sectors. Blackbaud recently informed us that they had been the victim of a ransomware attack where a cybercriminal was able to remove copies of data subsets from many of their clients, including a subset of Sarah Lawrence College data. 

Blackbaud has assured us that credit card, banking information, and social security numbers were not involved in the incident. Sarah Lawrence College takes the protection and proper use of your information very seriously. We are contacting you as a precautionary measure to share what Blackbaud has told its customers about the incident.

What Happened

Sarah Lawrence was recently notified by Blackbaud, one of our third-party service providers, of a security incident. According to Blackbaud’s communication, there was an attempted ransomware incursion into their systems beginning on February 7, 2020 which continued until May 20, 2020. Prior to being locked out, the cybercriminal reportedly removed a copy of some Blackbaud customer backup files that may have contained personal information. Blackbaud reports that, after discovering the attack, their cybersecurity team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from fully encrypting the data maintained by Blackbaud. According to Blackbaud, the company paid a demand for confirmation that the removed data was permanently destroyed. 

What Information Was Involved

It’s important to note that, according to Blackbaud, the cybercriminal did not access credit card information, bank account information, or social security numbers. Blackbaud has further stated that this information, if stored on Blackbaud systems, is secured using encryption technologies. However, it is our understanding that the affected data may have included constituents’ contact information, demographic information, and a history of their relationship with the College. It is important to note that Blackbaud has not informed us of what specific information may have been contained in the breach. We are working diligently to obtain additional information from Blackbaud.

Based on the nature of the incident, their research, and third-party (including law enforcement) investigation, Blackbaud states that it has no reason to believe that any data went beyond the cybercriminal, was misused, or will be disseminated or otherwise made available publicly. Nevertheless, the company has hired a third-party security service to monitor for such activity indefinitely.

What We Are Doing 

Ensuring the safety of our constituents’ data is of the utmost importance to us. We immediately launched our own investigation and have taken the following steps:

• We are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant. 
• We are pressing Blackbaud to provide more details on the size, scope and depth of the breach as it relates to their thousands of clients in the higher education and nonprofit sectors.
• We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as any additional actions Blackbaud has taken to increase their security.

Blackbaud’s Remediation Efforts

As part of its ongoing efforts to help prevent something like this from happening in the future, Blackbaud has affirmed to us that it has already implemented changes to protect its system from any subsequent incidents: 

• Blackbaud has identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has taken actions to fix it. 
• Blackbaud has confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. They are accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoints, and network-based platforms.

We very much regret that the incident experienced by Blackbaud occurred, especially in light of current events. We remain in regular contact with Blackbaud regarding the details of this incident, and we continue to monitor their response. There is no need for our community to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

As more detailed information about the incident becomes available, we will follow up with anyone we believe may have been directly affected. Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement. 

If you have any immediate concerns or questions regarding this matter, please do not hesitate to contact Director of Advancement Operations & Data Analytics, Fred Feddeck, at dataprotection@sarahlawrence.edu.

Sincerely,

Sean Jameson, Chief Technology Officer

Patty Goldman, Vice President for Advancement and External Affairs 

Christina Camardella, Director of Alumni Relations

Fred Feddeck, Director of Advancement Operations & Data Analytics