Public Notice of Blackbaud Data Incident

Blackbaud, Inc. recently made us aware of a data security incident that may have affected some of our donors’ or prospective donors’ personal data. Blackbaud is the global market leader in third-party, not-for-profit donor applications used by many charities, health, and educational organizations in the U.S. and abroad.

MUSC values you, recognizes the great trust you place in our relationship, and takes the protection of your information very seriously. We, therefore, want to share the details that we have received from Blackbaud surrounding this incident.

What happened?

On July 16, 2020, we were notified that Blackbaud, an outside vendor of MUSC, had discovered and stopped a ransomware attack of Blackbaud’s self-hosted platform in May of 2020.

What information was involved?

Blackbaud has specifically informed us that the cybercriminal did not access credit card information, bank account information, or social security numbers. According to Blackbaud, the cybercriminal did, however, remove in as early as February a copy of a subset of Blackbaud’s customer data. The information removed included information used by MUSC for fundraising and donor relations purposes, such as individuals’ contact information, demographic information, birthdate and relationship and donation profile/history with MUSC Blackbaud paid the cybercriminal’s ransom demand with confirmation that the copy the cybercriminal removed had been destroyed.

Blackbaud does not believe this incident poses any risk to our donors, because, based on the nature of the incident, Blackbaud’s research, and third-party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud has hired a third-party team of experts to monitor the dark web as an extra precautionary measure.

What are we doing?

MUSC is reviewing all relevant business practices and procedures regarding the security of its donors’ and prospective donors’ personal data. Blackbaud has reported that it has already implemented numerous security changes. Blackbaud has stated that it quickly identified the vulnerability associated with this incident and took swift action to fix it. Blackbaud has stated that it has confirmed through testing by multiple third parties that Blackbaud’s fix withstands all known attack tactics. Finally, Blackbaud has reported it is further hardening its environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.

What can you do?

We do not think there is anything more you need to do at this time aside from maintaining your routine personal practices of remaining vigilant to cybercriminal scams (e.g., email /phone scams asking for money/information), and promptly reporting any suspicious activity to law enforcement authorities or the credit bureaus: Equifax (PO Bx 74021, Atlanta, GA 30374; 800-685-1111), Experian (PO Bx 2002, Allen, TX 75013; 888-397-3742) or TransUnion (PO Bx 1000, Chester, PA 19016; 800-916-8800).

For more information about this incident, kindly consult the Blackbaud website at blackbaud.com/securityincident.

We apologize for any inconvenience this may have caused you. So much of our work today depends on the support of people and organizations like you. For that reason, we hold our partnership with you in the highest regard and are deeply committed to maintaining the trust upon which it is built. Thank you for your patience and continued support of MUSC.

Published 8/10/2020