CEU has been notified by Blackbaud, a third-party service provider and one of the world's largest providers of customer relationship management systems for non-profit organizations and the higher education sector, of a data security incident. While Blackbaud assures us that the data compromised in the incident was comparatively low risk as it did not involve credit card information, we immediately launched our own investigation and wanted to inform our community about the situation and the steps we are taking to ensure the greatest possible level of data security.
On 16 July, Blackbaud, the provider of CEU’s relationship management system, informed us that they had been the victim of a ransomware attack. As noted in Blackbaud’s public disclosure, the cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of data from Central European University (Kozep-europai Egyetem).
We use this system to record engagement with members of the University community, including alumni, employers, supporters, and stakeholder networks. Having undertaken a review of the information shared by Blackbaud mapped against our data, we are sharing details of this breach of Blackbaud's systems with members of our community today.
What information was involved?
We would like to reassure our community that:
- A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts;
- The attack did not happen at a CEU facility or involve any CEU data handlers, and did not specifically target CEU or our database;
- Blackbaud has confirmed that the investigation found that no encrypted information, such as bank account details, was accessible;
- Blackbaud also confirmed that no credit card information formed part of the data theft.
The data accessed by the cybercriminal may have contained some of the following information:
- Basic details e.g. name, title, gender, date of birth, and alumni/employer ID (if applicable);
- Addresses and contact details e.g. phone and/or email;
- A record of engagement with CEU e.g. inquiries, event participation, volunteering, donations, and other interactions alumni, employers, and supporters have with us.
What are we doing
We have been informed that in order to protect customers' data and mitigate potential identity theft, Blackbaud met the cybercriminal's ransomware demand. Blackbaud has advised us that it received assurances from the cybercriminal that the data had been destroyed. However, we immediately launched our own investigation and have taken the following steps:
- We are notifying our community so that you are aware of this breach of Blackbaud's systems and can remain vigilant;
- We have informed the Hungarian data protection authority of the breach;
- We are taking steps to understand how many other parties in higher education and the wider non-profit sector have been affected;
- We are working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security;
- We are reviewing our internal practices and continue to take advice from our Data Protection and IT security teams to ensure the greatest levels of data protection moving forward.
There is no need for our community to take any action at this time. As a best practice, we recommend everyone remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.
If you would like to contact a member of the CEU team or set up a time to speak with us directly, please write to Blackbaud_Response@ceu.edu. You can also change your communication preferences at any time by writing to us at the above email.
We very much regret any inconvenience that the data breach by Blackbaud may cause. Please be assured that we take data protection very seriously and we are grateful for our community's continued support and engagement.