Statement on Blackbaud data incident
Release Date 23 July 2020
Statement by Dr Richard Messer, Chief Strategy Officer and University Secretary, University of Reading:
The University has been informed that an online database, containing details of alumni and supporters of the University of Reading and Henley Business School and operated by an outside contractor, was criminally hacked in May, leading to unauthorised access to personal data.
I have today written to apologise and directly inform those in our community who we consider may be at risk, so that they can take any steps necessary to protect themselves.
Our alumni and supporters of the University of Reading are important members of our community. I sincerely apologise to them for this incident and am sorry for any worry or inconvenience it may cause.
Details of incident
On Thursday 16 July, we were informed by Blackbaud, the company that hosts our database of information for University of Reading and Henley Business School alumni, that it was subject to a ransomware cyber security incident in May 2020. Personal data, including that of some people on our database, was taken by the perpetrator and a ransom demanded. Blackbaud has stated that it paid the ransom and that it is confident that the stolen data has been destroyed.
Blackbaud has also stated that it has deployed additional measures to mitigate the adverse effects of the breach and to ensure the ongoing security of the data they host on our behalf.
What type of personal data was involved?
It is important to note that no sensitive financial information was involved, such as bank account, credit card details, or passwords. Where we do hold such information, it is held in a secure encoded form, and this has not been affected by this incident.
However, a range of other personal information was accessed. Our database holds information about our alumni and supporters, and while many records are only partial, they can include details of dates of birth, contact information such as phone numbers, demographic information, and a history of relationships with the University, such as when people studied here, donation dates and amounts, and events organised by the University or Business School that people may have registered for or attended.
What the University is doing
Blackbaud is a major supplier of database services to UK and US universities and charities, and it is likely that many other institutions may have been affected. While the University is responsible for the security of your data, the attack was against our supplier and not the University's own computer systems. We have received assurances that the data is secure, and we continue to work with Blackbaud to understand how this security breach occurred and what security measures are in place to prevent an incident like this from happening again.
We have notified the UK Data Protection Regulator, the Information Commissioner's Office, about the breach.
We are reviewing options for enhanced security arrangements in-house so that alumni and supporters can be confident that when we contact them, or they contact us, we can securely confirm their identity.
We are notifying those we consider may be at risk to explain what has happened and so that they can be alert to any improper use of their details. We have not contacted people directly who we do not think are at high risk.
What we have advised people to do
We are not advising that any specific action needs to be taken, but we are recommending that people remain vigilant and immediately report any suspicious activity or suspected identity theft to law enforcement agencies. More information and advice is available from Action Fraud, at https://www.actionfraud.police.uk/.
As is always the case, anyone should be careful about providing personal financial information, such as bank account or credit card details, to any third party directly making contact by email or phone. The University of Reading and Henley Business School will only ever ask alumni or supporters to provide financial details via a secure web link, or on the telephone with a range of additional security checks, so they can be confident that they are giving their information to us. If alumni or supporters have any doubts about whether contact from us is genuine, they can call us on our dedicated helpline to check.
If alumni or supporters have any further questions or concerns, our dedicated team can be contacted at:
Telephone: (+44) 1491 736425
Our team will be available to assist between 10.00am and 4.00pm Monday to Friday.
We may undertake additional security checks in order to verify a caller's identity.