01 October 2020
Statement on the Blackbaud data breach
We have received confirmation from Blackbaud that King’s College London has not been affected by the latest update regarding payment details, as reported by BBC News. We can confirm that no payment details were accessed as part of the incident we reported in July.
We have been informed of a data security breach by one of our suppliers – Blackbaud – which is a third-party provider of customer relationship management systems for the Higher Education sector and not-for-profits.
We understand that this breach included information from a significant number of organisations in the UK and US, including King’s College London.
Whilst Blackbaud only stores a very limited subset of our data, as a valued member of our King’s community we are making you aware of the incident because it may have affected your personal details.
You do not need to take any action at this time.
No credit, debit card or bank account details were compromised as these were not stored on this Blackbaud platform.
On 16 July 2020 we were contacted by Blackbaud, to inform us that they had discovered and stopped a ransomware attack in May of this year. As part of this attack a copy of a sub-set of data was taken. This file may contain some of your personal information.
The type of data the cybercriminal could have accessed may have contained:
- Personal details such as name, title, gender, date of birth
- Contact details like postal address, email, phone number
- Any details you may have added when registering for Alumni Online or to attend an event.
Financial details such as credit, debit card details or bank account information were not stored on this platform.
Blackbaud has informed us that it has conducted its own investigation into the incident and involved law enforcement agencies. In addition, Blackbaud has obtained confirmation that the copy of the stolen data has been destroyed.
We have taken the following actions in response to this incident:
- We have commenced a thorough investigation, working with our Data Protection Officer, Blackbaud and other Higher Education institutions.
- Blackbaud have reported this breach to the Information Commissioner’s Office (ICO), and King’s College London have also submitted their own ICO report.
- We have taken the decision to advise our alumni and supporters as soon as we could with the information available to us.
- Separately, we have ended our contract with Blackbaud for the data platform affected.
What do you need to do?
You do not need to take any action in relation to this incident.
We are making you aware so you can remain vigilant and only open and respond to emails from a legitimate contact or source. Always be careful not to disclose financial information or passwords to anyone over email.
King’s College London continues to work closely with Blackbaud and the Higher Education sector to ensure any risks are mitigated resulting from this breach.
We are disappointed that this has happened. We want to ensure you that we take data protection seriously and are sorry for any inconvenience this may have caused you and any impact on our alumni and supporters.
If you have any concerns then please email firstname.lastname@example.org.