Blackbaud Security Incident Statement
September 2, 2020

Blackbaud, Inc. is a vendor that provides a variety of specialized customer relationship management products to universities and nonprofits, including many in North Dakota. They recently reported they discovered and addressed a cybersecurity incident that affected many of their customers, including the UND Alumni Association & Foundation ("UNDAAF"). While we have no information indicating that your information was misused, we are providing you with this notice in an abundance of caution and transparency.
 
The incident included name, address and/or date of birth. Sensitive information like financial account information, Social Security numbers, and payment card information is NOT maintained by UNDAAF and is NOT involved in this incident.
 
Blackbaud has engaged third party forensic experts to actively monitor the possible use of this information and to notify individuals upon detection of misuse. No misuse has been reported and we do not believe there is a need for you to take any action at this time. As a best practice, we recommend that you remain vigilant and promptly report to the proper law enforcement authorities any suspicious activity or suspected identity theft.
 
The UND Alumni Association & Foundation understands the tremendous responsibility we have to protect the data we hold. We sincerely regret any inconvenience this incident may cause you.
We were recently notified by one of our vendors, Blackbaud Inc., of a security incident in which they stopped a ransomware attack. However, prior to being locked out, the cybercriminals removed backup files from Blackbaud’s platform, which hosted data for numerous colleges, universities, health care organizations, foundations, and other non-profit organizations around the world, including UNDAAF. Blackbaud believes the incident occurred between February and May 2020. Blackbaud discovered the incident in May, conducted an investigation, and notified UNDAAF on July 16, 2020.
After a careful review, on August 11, 2020 we determined that the information removed by the threat actor may have contained some of your information, which is limited to your name, address and/or date of birth. Sensitive personal data like financial account information, Social Security numbers, and payment card information is NOT maintained by UNDAAF and is NOT involved in this incident. Also, Blackbaud worked with law enforcement and third-party experts and informed us that they paid the threat actor to ensure that the data was permanently destroyed.
We immediately launched our own investigation with University Information Security. We requested more information from Blackbaud to understand why there was a delay in notifying us following discovery of the incident and to learn what additional security measures have been taken. We assessed the exact impact of the incident on our data and notified impacted individuals directly to comply with state-by-state legal obligations.
According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated, or otherwise made publicly available. Blackbaud indicates that it has hired a third-party team of experts, including a team of forensics accountants, to continue monitoring for any such activity. Unfortunately, these ransomware attacks are becoming more and more common. As a best practice in today’s world of cybercrime, we recommend that you remain vigilant and report any suspicious activity or suspected identity theft to the proper law enforcement authorities. We also recommend that you review Preventing Identity Theft and Fraud by visiting undalumni.org/prevent for more information on ways to protect yourself and your data.
We remain fully committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We sincerely regret any inconvenience this incident may cause you. Should you have any further questions or concerns regarding this matter, please do not hesitate to contact our Vice President of Finance, Nancy Pederson at NancyP@undalumni.net or by calling 701.777.2611.