Boston University sent an email Saturday notifying potentially affected members of the community about a data security breach from May.
Blackbaud, one of BU’s technology partners, had experienced a ransomware attack. The stolen file may have contained demographic data, contact and employment information, as well as details about members’ relationship to BU, including degrees received and donation or gift history.
The information security notice stated no credit card information, financial account information, social security numbers or passwords were compromised.
This kind of information is only stored on University servers, if at all, according to BU spokesperson Colin Riley. He said the stolen file contained personal information pertaining to BU donors, faculty, staff, students, alumni and parents.
Later emails were sent to other affected members of the community this week.
Several institutions were affected by the ransomware attack, according to the email. The cybercriminal removed a copy of some of Blackbaud’s customer backup files before being blocked from accessing additional files by Blackbaud’s Cyber Security Team, which collaborated with independent forensics experts and law enforcement.
Blackbaud paid the ransom demanded by the cybercriminal to receive confirmation the stolen file was destroyed and that the information it contained would not be used. Blackbaud’s website stated there is “no reason to believe any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.”
Blackbaud reported to BU that it was successful in identifying how the security breach occurred and have tested new precautions with multiple third parties to ensure its new system now “withstands all known attack tactics.”
Though this data security incident did not uniquely target BU, Riley said being aware of the reality of cybersecurity threats is important.
“The University wants to make sure that one, people are aware that it occurs. Two, to report it if they think anything is suspicious,” Riley said. “[Cybercrime] is almost invisible. And what’s real challenging is not just the individuals out there doing it, but when you find out that there are organized groups involved in this process.”
Riley said BU is lucky the data stolen did not contain more sensitive information, such as social security numbers or financial information.
“I think the good news is that we’re careful on what type of information was stored there. It was the type that was really just basic information,” Riley said. “In this case, I think the largest group [affected] would have been out of our Alumni Relations group.”