Website Statement and FAQs
On 16 July 2020 Newman University become aware of a data security incident that had affected one of Newman University’s third party providers, Blackbaud.
Blackbaud is one of the world’s largest providers of client relationship management (CRM) services and is used globally by many universities and charities. They are a respected provider of education and third Sector CRM systems, which is one of the reasons why Newman University chose Blackbaud to be responsible for its database.
Like many other universities and educational establishments, we were informed by Blackbaud that it discovered in May 2020 that it had fallen victim to a cyber security incident on its systems. Blackbaud have provided reassurances that that they have taken steps to mitigate the impact of the incident and any risk to information. Notwithstanding these reassurances, we chose to inform our enquirers, applicants and alumni of this incident so that they can be better informed. If your personal data was part of this incident then we have contacted you individually.
Based on what we and other universities have been told by Blackbaud, there is no need for individuals to take any specific actions. Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data will be disseminated or otherwise made available publicly. No credit or debit information is stored by Newman University on the CRM system. However, these incidents serve as a reminder to remain alert and vigilant to unexpected or suspicious communications and online activity.
We recognise that this will come as unsettling news to our community and are deeply sorry that this has happened. Some further information about the incident is set out below. Those requiring more information may wish to read the FAQ section below, check back to this website for further updates or contact firstname.lastname@example.org
Update – 06.11.2020: The regulator, the Information Commissioner’s Office (ICO), has written to Newman University to say that, ‘We have considered whether your organisation has complied with the requirements of Article 5.1(f), the GDPR security principals, as well as Article 28, the requirement of data controllers to only use data processors that can provide adequate protection of personal data. After careful consideration based on the information that has been provided, we have decided not to take any formal enforcement action against your organisation on this occasion. There is evidence that demonstrates that you took appropriate due diligence in sourcing a reputable data processor… it would appear that your organisation acted in a reasonable attempt to meet compliance under your own obligations… We now consider this matter closed.’
Frequently Asked Questions
In May, Blackbaud stopped a ransomware attack in its systems. Whilst Blackbaud were able to stop the attack from blocking its systems and encrypting data, the cybercriminal removed a copy of a subset of data from Blackbaud’s self-hosted environment. Blackbaud paid the cybercriminal’s ransom demand in return for confirmation that the copy of the data they removed was destroyed.
Based on the nature of the incident, their research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. As a precautionary measure, Blackbaud have hired outside experts to monitor the dark web indefinitely and they have found no evidence that any information has been released.
What steps have you taken?
- Newman University’s priority remains our relationship with our enquirers, applicants, alumni and wider community including students and staff, and the protection of their information.
- As soon as we assessed the incident, we reported the matter to the Information Commissioner’s Office (ICO). Blackbaud has also reported the incident to the ICO as the data security incident occurred on their systems.
- We have also sent communications (via email or letter) to anyone whose personal data was included in the incident.
- We are in the process of moving to a new CRM provider.
What do I need to do?
As explained above, there is no need for you to take any specific action. For the avoidance of any doubt, we have no reason to believe that individual data records were targeted. Blackbaud has confirmed the cybercriminal’s motivation was to disrupt Blackbaud’s business by encrypting files in their data centres, which Blackbaud was able to prevent.
I applied to study at Newman University this year. Will it affect my application or whether I can enrol?
No, it will not affect these things. No personal data was corrupted or deleted as part of the security incident. Your application and enrolment will not be affected by this situation.
The attack happened in May 2020, why are you only telling people in July and August 2020?
Blackbaud first detected the cyber attack on 14 May 2020. We understand that the delay was caused by Blackbaud defending against the attack, understanding their own investigation, applying relevant remedial measures and preparing notifications to customers.
We were advised of the incident on 16 July 2020, since then we have undertaken our own investigations with Blackbaud in order to collate the relevant information to contact people whose personal data was involved.
In October 2020 I read in the news that Blackbaud has now said bank / financial details and passwords were accessed in some cases after all. Did that happen at Newman?
No. Newman University was not one of the Blackbaud customers affected by that. Blackbaud contacted all customers who were affected by this and they did not contact Newman University about it. Furthermore, Newman University has never put bank details into that database as it has not used it for fundraising / payments of any type. Newman University does not use the part of the database system that gives individual passwords for the people whose information is on the database. Therefore Newman University can be certain that no bank details / financial details or passwords were affected by this.
Did you report this to the ICO?
Yes, once we had assessed the situation we reported the incident to the Information Commissioner’s Office (the ICO), who are the regulator, and provided them with the information they asked for. They wrote to Newman University on 6th November 2020 closing the matter.
‘…We have considered whether your organisation has complied with the requirements of Article 5.1(f), the GDPR security principals, as well as Article 28, the requirement of data controllers to only use data processors that can provide adequate protection of personal data. After careful consideration based on the information that has been provided, we have decided not to take any formal enforcement action against your organisation on this occasion. There is evidence that demonstrates that you took appropriate due diligence in sourcing a reputable data processor… it would appear that your organisation acted in a reasonable attempt to meet compliance under your own obligations… We now consider this matter closed.’
Are you continuing to use Blackbaud?
Update – October 2021: No. When Blackbaud reported the data incident (July 2020) we were already in the process of moving to a new database / client relationship manager supplier and have since completed the process. On legal advice, although we had stopped adding new information to it, we retained our Blackbaud Raiser’s Edge account for 12 months after we had emailed out notifications to those who might have been impacted by the data incident (which we did in July 2020 and August 2020). This was to allow a reasonable amount of time for people to get in touch with any questions or to request a copy of their personal data, if it was held on the affected database. After the 12 months had expired we cancelled our contract for the Blackbaud product in order to avoid retaining data which was no longer necessary to process. The cancellation of the contract involves the deactivation of the account and the deletion of the data.
Where can I go for more information?
We are sorry that this has happened and deeply regret any concern or inconvenience this incident may have caused. We will pass on any important information that we received from Blackbaud as and when we receive it. Please return to this webpage for updates or contact email@example.com.