Blackbaud Cyber Incident
To our alumni and friends,
Drake University was recently made aware of a cyber incident that may have involved information about our constituent records. The confidentiality, privacy, and security of information in our care are among our highest priorities, and we take this incident very seriously. The information below explains the incident, our response, and the resources available to you to help protect your information from possible misuse.
On Thursday, July 16, 2020, Drake University received notification from one of its third-party vendors, Blackbaud, Inc. (“Blackbaud”), of a cyber incident. Drake University uses Blackbaud to provide fundraising and relationship management services through its Raiser’s Edge product. Upon receiving notice of the cyber incident, we immediately commenced an investigation to better understand the nature and scope of the incident and any impact on Drake University data.
Blackbaud reported that, in May 2020, it experienced a ransomware incident that resulted in encryption of certain Blackbaud systems. Blackbaud reported the incident to law enforcement and worked with forensic investigators to determine the nature and scope of the incident. Following its investigation, Blackbaud notified its customers that an unknown actor may have accessed or acquired certain Blackbaud customer data before Blackbaud locked the threat actor out of the environment on May 20, 2020. Drake’s investigation included working diligently to gather further information from Blackbaud to understand the scope of the incident. On or about August 5, 2020, Drake University’s investigation determined that the information potentially affected may have contained personal information.
Our investigation determined that the involved Blackbaud systems contained information including names, contact information, and relationship history with Drake University. Please note that, to date, we have not received any information from Blackbaud that any specific individual’s information was accessed or acquired by the unknown actor. Blackbaud reported that Social Security numbers, credit card information, and financial account numbers were not impacted as a result of this event. Moreover, Drake University does not store this type of information in the Blackbaud’s systems.
As part of Drake’s ongoing commitment to the security of information in our care, we are working to review our existing policies and procedures regarding our third-party vendors, and are working with Blackbaud to evaluate additional measures and safeguards to protect against this type of incident in the future. We will also be notifying state and federal regulators, as required.
As a best practice, we suggest that you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities including your state’s Attorney’s General office. We also suggest you monitor national credit reporting agencies and report to them if you have concerns about suspicious activities.
We understand that you may have questions about the Blackbaud incident that are not addressed in this communication. If you have additional questions, please call our dedicated assistance line at 1-800-626-4089 Monday-Friday, 9 a.m.–12 p.m. & 1–4 p.m. Central. You may also write to the Drake University Office of Advancement at 2507 University Ave, Des Moines, IA 50311.
We sincerely regret any inconvenience or concern this incident has caused.