Dear friends,

This email is to inform you of a data security incident related to a third-party service provider of Durham University.

What happened?

On Thursday 16 July, we were contacted by Blackbaud. They are one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the higher education sector.

They informed us that they had been the victim of a ransomware attack in May 2020. A cybercriminal was able to remove a copy of a subset of data from a number of their clients, including a number of peer institutions and charities across the UK.

For some institutions affected, the data breach was linked to the institution’s live database environment. For Durham University, the breach appears to have been related to a historic backup file containing a subset of data gathered via our ‘Net Community’ portal which runs behind our alumni website dunelm.org.uk.

What information was involved?

We would like to reassure you that:

• A detailed forensic investigation was undertaken on behalf of Blackbaud by law enforcement and cyber security experts; and
• Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account, credit card information or other payment details or passwords, was accessible.

The data accessed illegally may have contained some of the following information:

• Basic details (e.g. name, title, gender, date of birth); and
• Addresses and contact details (e.g. phone, email, and LinkedIn profile URL – if supplied)

How is the University responding to the situation?

Durham University takes the protection of data very seriously. Before engaging Blackbaud, a thorough and comprehensive due diligence review was undertaken by members of our CIS technical and data security colleagues.

We have been informed that in order to protect their customers’ data and mitigate potential identity theft, having taken expert advice Blackbaud met the ransomware demand. Blackbaud have advised us that they paid the ransom and received credible assurances that the data had been destroyed.

However, we have immediately launched our own investigation and have taken the following steps:

• We are informing you, so that you are aware of this breach of Blackbaud’s systems and can remain vigilant;
• We have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance;
• We are taking steps to understand how many other parties in the higher education and the wider not-for-profit sector have been affected;
• We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.

What should I do?

There is no need for you to take any action at this time. As best practice, we recommend that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

If you would like to speak to a member of our team, please contact: daro.privacy@durham.ac.uk. Otherwise, we will update you further in due course.

We are grateful for your attention to this notification.

Best wishes,

Andy Harston
Director for Development and Alumni Relations