Skip to main contentSkip to footer content
 

SUNY ESF Alumni Association
Cyber Incident

The ESF Office of Alumni Relations and ESF College Foundation were recently made aware of a data security incident that may have involved information about our alumni and donors. The protection of your data is our utmost concern, and we are sorry if this has caused any inconvenience.

We are sharing this information out of an abundance of caution and have been ensured that any data potentially accessed has been destroyed.

This attack was on our third-party cloud-based data storage provider and not ESF computers or networks directly. We have been assured that the host is taking steps to prevent this from happening again.

Please see the information below that explains the incident and steps we have taken in response.

The Incident

The Office of Alumni Relations and College Foundation utilize Blackbaud software to store information on our donors and alumni. Blackbaud is one of the world's largest providers of customer relationship management systems for the higher education sector.

On July 16, 2020, we were contacted by Blackbaud representatives who informed us that a Blackbaud service provider had been the victim of a ransomware attack that culminated in May 2020. View their statement about this incident here.

The cybercriminal was unsuccessful in blocking access to the Blackbaud database involved in the attack. However, the cybercriminal was able to remove a copy of our backup data, which includes SUNY ESF alumni and donor data. Based on their research, Blackbaud and law enforcement officials believe that no data went beyond the cybercriminal.

What information was involved?

We would like to reassure our constituents that a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement, and cybersecurity experts.

Blackbaud has confirmed that the investigation found that no encrypted information, such as Social Security numbers, credit, or debit card numbers were accessed.

The following information from your record may have been accessed by the cybercriminal when they made a copy of our database. As noted previously, we received confirmation from Blackbaud that the copy they made has since been destroyed.

  • Public information such as name, title, date of birth, spouse
  • Addresses and contact details such as phone numbers and email addresses
  • Philanthropic interests, giving capacity, and summary giving history to SUNY ESF
  • Educational attainment
  • Details regarding current and previous employment
  • Details of engagement with SUNY ESF, such as event attendance, volunteering activity, and details of meetings and/or correspondence with the University

What actions were taken by Blackbaud?

We have been informed by Blackbaud that in order to protect constituent's data and mitigate potential identity theft, it met the cybercriminal's ransomware demand. Blackbaud has advised us that it has received assurances from the cybercriminal and third-party experts that the data was destroyed. Blackbaud has been monitoring the web in an effort to verify the data accessed by the cybercriminal has not been misused.

Steps we have taken in response

We immediately launched our own investigation and are following the recommendations of our own cybersecurity consultants. As a result, we have taken the following steps:

  • We are notifying, you, our affected constituents, to make you aware of this breach of Blackbaud's systems so you, too, can remain vigilant.
  • We are working with Blackbaud to understand what caused the delay between finding the breach and notifying us, as well as what actions Blackbaud is taking to increase its security.

We do not believe there is a need for our constituents to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.

FAQs

We would be happy to send you a copy of your alumni/donor record. Please note that no encrypted information was accessed, which could include your social security number. Please reach out via the contact information provided.

Yes, financial information used to process payments online was not accessed as this information is fully encrypted.

As soon as we were notified of the incident on 16 July, we launched an investigation to gather the information we needed to contact you.

Blackbaud has advised that they did not notify us sooner because they needed to defend against the attack; conduct the subsequent investigation; take measures to address the issue that led to the incident; and prepare resources for its customers.

We are reviewing Blackbaud's current and proposed security measures for our data.

Blackbaud has advised that it has implemented several changes that will protect data from any subsequent incidents, but we await details on this and what else they plan to do in future.

We will be reviewing the actions taken by Blackbaud in the coming months to ensure that they are implementing any necessary changes. Our donors and alumni mean the world to us, and we take seriously all actions that threaten to compromise you and our relationship with you.

We do not believe there is a need for our constituents to take any action at this time. As a best practice, we recommend people remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities.

Although we have not been advised officially, we understand a significant number of organizations have been affected globally.

We need to retain a minimum amount of information for statutory purposes, however we can delete certain information that you might deem sensitive. Please let us know a good time for a call so that we can discuss.