This page provides information on what Blackbaud has told us about the incident, and what we are doing to protect our data.
The University takes its approach to data security very seriously and we have established a full incident response group to review and respond to this issue.
What happened?
Blackbaud is a global supplier of software and we use its online database platforms for alumni engagement, managing relationships with honorary doctors and donors, and fundraising programmes. On 16 July 2020, the University was notified by Blackbaud that it had been subjected to a ransomware attack which it believes was carried out between February - May 2020. During the attack the cybercriminal was able to remove a sub-set of data belonging to a number of organisations, including Sheffield Hallam and certain other UK universities.
We understand that this data relates to names and contact details for alumni, donors, and other stakeholders. No bank details, credit card, financial details or sensitive data were taken – we do not use Blackbaud systems for financial processing.
Upon confirmation that the stolen data had been destroyed, Blackbaud paid a ransom to the cybercriminal. The company has reassured us that it has no reason to believe any data went beyond the cybercriminal. Blackbaud has reported the incident to the FBI and the Information Commissioner’s Office in the UK, and is continuing to monitor the situation.
What data was affected?
We understand that the data stolen relates to contact details and records of engagement:
- Names and contact details
- Education details (including subject, degree award)
- Professional details (including job title, organisation name)
- A record of engagement and interaction with our alumni and development activities (such as event attendance, volunteer activity, enquiries, donation amounts)
- Information on preferences and interests registered with us as part of alumni relations activity.
- No bank details, credit card, financial details or sensitive data were taken.
What is the University doing?
The University is managing this incident in accordance with its data security procedures and is working with colleagues from across the University in co-ordination with Blackbaud.
The University has taken the following steps:
- We are working to understand the reason for a delay in Blackbaud notifying us of the incident and implications of this for data subjects.
- The University has written to the Information Commissioner’s Office to notify them of this incident.
- We are committed to communicating to affected stakeholders as far as is practical and continue to work with Blackbaud to ensure our data is protected and secure.
What do you need to do?
The data stolen is not sensitive or financial, so at this stage you do not need to do anything except remain vigilant and report any suspicious activity to police or other law enforcement authorities. Further information is available about staying safe online.
To get in touch with us about this please contact blackbaudincident@shu.ac.uk.
We will continue to work with Blackbaud to investigate this incident and its implications further. We sincerely apologise for the inconvenience of this data security breach by Blackbaud. The University takes data protection very seriously and we are grateful for your continued support and understanding.
Please note: Blackbaud is a major supplier of cloud solutions to the HE and not for profit sector. This is a different company to Blackboard who provide online learning platforms.
Updated 2 October 2020:
Blackbaud notified the University on 29 September 2020 that following further investigation a subset of their customers had been effected further by the ransomware attack which data subjects were notified of in July. We can confirm that Sheffield Hallam University was not part of this subset and was not impacted. No further action is required by the University or its data subjects.
