Below is a statement released regarding the Blackbaud Data Breach as related to the University of Oklahoma alumni and donors.
The information below relates to a data security incident with a third-party service provider of the University of Oklahoma. We take our data protection responsibilities very seriously and have launched our own investigation.
What Happened
On July 16 we were contacted by the third-party service provider, Blackbaud, one of the world’s largest cloud software providers for higher education and not-for-profit organizations. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of Oklahoma data.
Committed to data integrity and transparency, the University enlists services provided by Blackbaud because they are beneficial to OU’s data analysis and benchmarking processes. The nature of OU’s relationship with Blackbaud is very limited and as such only publicly available information from the OU relationship was exposed to this breach. Rest assured, no social security numbers, credit card numbers or donor giving information have ever been provided to Blackbaud.
What OU Information Was Involved
The data accessed by the cybercriminal may have contained public constituent information such as name, address, phone numbers and email addresses for OU alumni and donors.
Blackbaud’s Response
We would like to reassure our community that:
• Blackbaud, along with law enforcement and third-party cyber security experts, conducted a detailed forensic investigation and took mitigating steps to address this breach.
• Blackbaud confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible and that credit card information was not part of the data theft. (Regardless, OU does not store data of this nature in the Blackbaud environment.)
Blackbaud has committed to strengthen their data environment including improving the specific vulnerability that enabled this breach.