Blackbaud Data Breach

We would like to let you know about a data security incident involving a third-party service provider used by the Southwest Minnesota State University Foundation, Alumni Association, and Minnesota Ag and Rural Leadership, which may have involved your personal contact information. The SMSU Foundation, Alumni Association, and MARL take the protection and proper use of your information very seriously. We are therefore contacting you to explain the incident and provide you with options to further protect yourself. 
 
What Happened
We were recently notified by one of our third-party service providers, Blackbaud, of a security incident. You may have already received a notification about this incident from other organizations you support, as Blackbaud’s fundraising and database services are used by thousands of nonprofit organizations worldwide and many of the institutions of higher education in the Minnesota State System.
 
At this time, we understand Blackbaud discovered and stopped a ransomware attack. After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from their system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of a backup file containing personal information on alumni and donors. This occurred at some point beginning on February 7, 2020 and they could have had access intermittently until May 20, 2020.
 
What Information Was Involved
It’s important to note that the cybercriminal did not access credit card information, bank account information, or social security numbers. However, Blackbaud has determined that the stolen file may have contained demographic information about some of our donors and alumni, which may include names, dates of birth, telephone numbers, email and postal addresses, and information pertaining to your relationship with Southwest Minnesota State University Foundation, including donation dates and amounts.
 
Based on the nature of the incident, research done by Blackbaud, and third-party (including law enforcement) investigations, Blackbaud has assured us that it has no reason to believe any data went beyond this cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Even though there is no evidence of actual misuse of any of this information, we are notifying you out of an abundance of caution. Blackbaud has further noted that they have hired a third-party team of experts to monitor the dark web as an extra precautionary measure.
 
What We Are Doing
We sincerely apologize for this incident and any inconvenience it may cause. Blackbaud has affirmed that it has already implemented changes to protect its system from any subsequent incidents. Additionally, they are accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
 
What You Can Do
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities such as the Federal Trade Commission, and the Office of the Minnesota State Attorney General.
 
For More Information
The following website has been created by Blackbaud to provide additional information about this incident: https://www.blackbaud.com/securityincident
 
Should you have any questions or concerns regarding this matter, please do not hesitate to contact Nathan Polfliet, Co-Executive Director of Advancement and Foundation at nathan.polfliet.2@smsu.edu.
 
Sincerely,
Nathan Polfliet
Co-Executive Director of Advancement and Foundation