August 17, 2020
NOTICE OF DATA SECURITY INCIDENT
The University of Utah’s University Advancement office takes the protection and proper use of your information seriously. We recently received notification from one of our vendors, the software firm Blackbaud, regarding a data security incident. The University of Utah is among hundreds of educational institutions and nonprofit organizations around the world using Blackbaud and its products for advancement support services.
Since being notified of the incident in July, we have been working to determine the extent of the effect on University data and the best path forward. We have no reason to believe your information has been misused. We are sharing this information out of a desire for transparency and an abundance of caution and concern for the protection of your data.
What happened
According to Blackbaud, in May 2020 the company discovered and stopped a ransomware attack. Blackbaud worked with law enforcement and paid a ransom to ensure the stolen data file was permanently destroyed. Based on the nature of the incident, their research, and a third-party (including law enforcement) investigation, Blackbaud stated there is no reason to believe the stolen data went beyond the cybercriminal. Blackbaud further states there is no reason to believe data was or will be misused, disseminated or otherwise made available publicly. Blackbaud will continue to monitor for indications of release or misuse of the data.
What information was involved
A detailed forensic investigation was undertaken on behalf of Blackbaud by law enforcement and third-party cybersecurity experts. Blackbaud has confirmed the investigation found no encrypted information, such as bank accounts, credit cards, or passwords, was compromised during the attack.
The University of Utah Advancement database does not save or store credit card numbers, Social Security numbers, or banking information. University Advancement evaluated information in the Blackbaud files. From this review, we determined the compromised files may have included (as applicable):
- Contact information, such as name, partner name, addresses, phone numbers
- Gender
- Date of birth
- Committee/activity involvement
- Summary of U degrees
- Summary of past donations
What we are doing
We will continue to monitor this incident. We are working with Blackbaud to understand why a delay occurred between finding the breach and notifying institutions affected. We have requested full details from Blackbaud on the additional security measures they plan to put in place.
Furthermore, University Advancement is actively reviewing information protocols, reinforcing information security procedures with contractors, and implementing changes where needed to help prevent an incident like this from happening again. We are working with the University of Utah Information Security Office to comply with all security incident reporting requirements.
What you can do
Again, please know we take the protection and proper use and storage of your information very seriously and are providing this information as a precautionary measure only. While Blackbaud is not recommending individuals take any specific action in response to this incident, we recommend you remain vigilant to fraudulent activity.
We value the trust you place in the University of Utah and sincerely apologize for any inconvenience or concern this incident may have caused. If you have additional questions or concerns, please do not hesitate to contact us at advancement@utah.edu.
FOR MORE INFORMATION
Please refer to Blackbaud’s dedicated page on this security incident.
If you have additional questions, please email advancement@utah.edu.