SUNY ESF Alumni Association
Cyber Incident
The ESF Office of Alumni Relations and ESF College Foundation were recently made aware of a data security incident that may have involved information about our alumni and donors. The protection of your data is our utmost concern, and we are sorry if this has caused any inconvenience.
We are sharing this information out of an abundance of caution and have been ensured that any data potentially accessed has been destroyed.
This attack was on our third-party cloud-based data storage provider and not ESF computers or networks directly. We have been assured that the host is taking steps to prevent this from happening again.
Please see the information below that explains the incident and steps we have taken in response.
The Incident
The Office of Alumni Relations and College Foundation utilize Blackbaud software to store information on our donors and alumni. Blackbaud is one of the world's largest providers of customer relationship management systems for the higher education sector.
On July 16, 2020, we were contacted by Blackbaud representatives who informed us that a Blackbaud service provider had been the victim of a ransomware attack that culminated in May 2020. View their statement about this incident here.
The cybercriminal was unsuccessful in blocking access to the Blackbaud database involved in the attack. However, the cybercriminal was able to remove a copy of our backup data, which includes SUNY ESF alumni and donor data. Based on their research, Blackbaud and law enforcement officials believe that no data went beyond the cybercriminal.
What information was involved?
We would like to reassure our constituents that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement, and cybersecurity experts.
Blackbaud has confirmed that the investigation found that no encrypted information, such as Social Security numbers, credit, or debit card numbers were accessed.
The following information from your record may have been accessed by the cybercriminal when they made a copy of our database. As noted previously, we received confirmation from Blackbaud that the copy they made has since been destroyed.
- Public information such as name, title, date of birth, spouse
- Addresses and contact details such as phone numbers and email addresses
- Philanthropic interests, giving capacity, and summary giving history to SUNY ESF
- Educational attainment
- Details regarding current and previous employment
- Details of engagement with SUNY ESF, such as event attendance, volunteering activity, and details of meetings and/or correspondence with the University
What actions were taken by Blackbaud?
We have been informed by Blackbaud that in order to protect constituent's data and mitigate potential identity theft, it met the cybercriminal's ransomware demand. Blackbaud has advised us that it has received assurances from the cybercriminal and third-party experts that the data was destroyed. Blackbaud has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused.
Steps we have taken in response
We immediately launched our own investigation and are following the recommendations of our own cybersecurity consultants. As a result, we have taken the following steps:
- We are notifying, you, our affected constituents, to make you aware of this breach of Blackbaud's systems so you, too, can remain vigilant.
- We are working with Blackbaud to understand what caused the delay between finding the breach and notifying us, as well as what actions Blackbaud is taking to increase its security.
We do not believe there is a need for our constituents to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.
FAQs
We are reviewing Blackbaud's current and proposed security measures for our data.
Blackbaud has advised that it has implemented several changes that will protect data from any subsequent incidents, but we await details on this and what else they plan to do in future.