Dear Alumni and Friends,
We are writing to inform you about a data security incident that may have involved some of your personal information. On July 16, 2020, clients of Blackbaud, Inc. (“Blackbaud”) were informed that Blackbaud suffered a data security incident. Blackbaud is an engagement and fundraising software service provider used by organizations, including Northern Vermont University. This incident affected hundreds of Blackbaud’s clients around the world, including higher educational institutions and nonprofits. Upon receiving notice of the cyber incident, we immediately commenced an investigation to better understand the nature and scope of the incident and any impact on Northern Vermont University data.
It is important to know that Blackbaud confirmed that data fields containing credit card, bank account information and social security numbers are encrypted and were not part of the attack. Northern Vermont University does not store such payment information in our donor and alumni relations records, but because we take your privacy, protections, and proper use of information very seriously, we want to you to be aware of this data incident. We are contacting you as a precautionary measure and encourage you to remain vigilant regarding any potential misuse of your information.
What Happened
Blackbaud reported that in May 2020, it experienced a ransomware incident. Blackbaud reported the incident to law enforcement and worked with forensic investigators to investigate. Following its investigation, Blackbaud notified its customers that an unknown actor may have accessed or acquired certain Blackbaud customer data. Blackbaud reported that data was exfiltrated by the unknown actor at some point before Blackbaud locked the unknown actor out of the environment on May 20, 2020. A detailed explanation is available on Blackbaud’s website.
What Information Was Involved
As reported by Blackbaud, data fields containing credit card, bank account information or social security number are encrypted and were not part of the attack. The information we retain is generally available to the public, such as name and address, in addition to relationship with the Northern Vermont University.. However, we encourage you to remain vigilant regarding any potential misuse of your information.
Blackbaud’s teams were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. As part of their ongoing efforts to help prevent something like this from happening in the future, Blackbaud informed us that it has implemented several changes to protect your data from any subsequent incidents and that it is using third parties to monitor against future misuse of data.
What Are We Doing
We are working with legal counsel who specialize in privacy issues to learn the full scope of the incident. If we determine that protected information was accessible to the attackers, we will notify any individuals whose protected personal information was involved.
What You Can Do
Although there is currently no evidence that your information will be misused, as a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the appropriate authorities.
For More Information
We sincerely apologize for this incident and regret any inconvenience it may cause you. We deeply value your relationship with Northern Vermont University and thank you for all that you do for our students. Should you have further questions, please contact Leah Hollenberger at 802.635.1251 or Leah.Hollenberger@NorthernVermont.edu.
