July 27, 2020
Blackbaud Data Security Incident
Canada’s National Ballet School (NBS) and Canada’s National Ballet School Foundation (NBS Foundation) have learned of a data security incident involving Blackbaud. Blackbaud is a third-party service provider of cloud-based data management tools to NBS and NBS Foundation and many other members of the arts, education and not-for-profit sectors.
We are serious about data protection and are investigating this incident. Based on the information we have received, we do not believe that our stakeholders are at risk.
At this time, you do not need to do anything. Since learning of this incident, we reviewed our databases to confirm what information was potentially affected and to identify individuals who should be contacted.
Blackbaud provides cloud-based data management tools to many organizations in the arts, education and not-for-profit sectors. NBS and the NBS Foundation use Blackbaud for donor and student management.
According to Blackbaud, an intruder had access to some of Blackbaud’s systems from about February 7, 2020 to May 20, 2020. The intruder was able to extract back-up data that belonged to many Blackbaud customers.
Once Blackbaud discovered the intrusion, Blackbaud blocked further access and commenced an investigation. Blackbaud retained third party forensic investigators and involved U.S. law enforcement (FBI).
The intruder demanded a ransom to destroy the data. Blackbaud paid the ransom so that the intruder would destroy all copies of the data. Blackbaud has received assurances that the data has been destroyed and was not shared with other third parties. Blackbaud is continuing to monitor the internet and dark web for any signs of the data.
What personal information was involved?
No credit card information was involved. Similarly, bank account information was not compromised. No encrypted information is at risk, such as passwords or social insurance numbers. No records in MySchoolApp were affected.
The information was contained in backup files. The information for each individual may be different. For donors, students and family members in our professional program, and participants in our community programs, this information could include name, contact information, gender, a record of communications, and an internal identifying number.
For donors, the information would also include a record of donations and may also contain instruction on how to apply a gift. For students and family members in our professional program only, the information would also include names and contact information for parents and legal guardians, as well as information relating to tuition, financial assistance and other information relevant to enrollment such as residency, citizenship and student visas. If a donor, student or family member or community program participant provided us with their marital or family status, ethnicity, health information, residency or immigration status, this information may also be included in the affected information.
What are we doing?
Once we learned of this incident, we immediately began our investigation.
We asked Blackbaud for more details. We worked with Blackbaud to confirm the timeline of the intrusion, the information that was affected, and what actions they took in response to the incident.
Although we do not believe our donors, students and their families, or community program participants are at risk, we are continuing to monitor this situation.
We will be following up with Blackbaud regularly for confirmation of the results of their ongoing monitoring for any signs of the data.
What do you need to do?
We do not believe our donors, students and their families, or community program participants are at risk based on the information available to us. At this time, you do not need to do anything. We are reviewing our databases to identify individuals who should be contacted.
Blackbaud paid a ransom for the data. Blackbaud states that the cybercriminal confirmed that the extracted data was destroyed. Blackbaud’s investigation (with the support of forensic investigators and law enforcement) shows no evidence that the data has been shared by the cybercriminal. Blackbaud’s advisors are continuing to monitor the internet and the dark web for the extracted data.
How do I get more information?
If you have questions or concerns about this incident, you can contact us by email at firstname.lastname@example.org or by phone at 416-964-5090. Please note that due to the potential volume of inquiries and the ongoing COVID-19 pandemic, our response may be delayed.