Potential Data Security Incident

Friday, July 31, 2020

To the California Lutheran University Community:

California Lutheran University (Cal Lutheran) recently learned of a ransomware attack on one of its third-party service providers, Blackbaud. This attack did not affect any systems at Cal Lutheran.

Blackbaud provides education administration, fundraising, and financial management software to many nonprofits and schools to support their fundraising and engagement efforts. According to Blackbaud, the ransomware attacker stole Blackbaud customer data and demanded that Blackbaud pay a Bitcoin ransom in exchange for an assurance of data destruction. Blackbaud says it paid the ransom and received the assurance of data destruction, but Cal Lutheran cannot be completely certain that the data was in fact destroyed. 

Importantly, Cal Lutheran does not store Social Security numbers, credit card information, or bank account information in the Blackbaud environment. But the information stored in the Blackbaud environment does include other less sensitive data types (such as name and date of birth). 

Out of an abundance of caution, Cal Lutheran is providing this voluntary notice. Cal Lutheran also is evaluating any possible legal requirements related to more formal notice. 

We deeply value your relationship and will continue to be vigilant about data security and privacy. Thank you for your support of Cal Lutheran. If you have any questions or concerns about this matter, please contact us at WeCare@callutheran.edu.

Frequently Asked Questions

Q:        I received an email saying (or otherwise learned) that my information may have been compromised in the Blackbaud ransomware attack.  What’s going on?

A:         Cal Lutheran recently learned of a ransomware attack on one of its vendors, Blackbaud.  This attack did not affect any systems at Cal Lutheran.

Blackbaud provides education administration, fundraising, and financial management software to many nonprofits and schools to support their fundraising and engagement efforts.  Cal Lutheran’s advancement office used Blackbaud to track donations and fundraising efforts. 

According to Blackbaud, the ransomware attacker stole Blackbaud customer data and demanded that Blackbaud pay a Bitcoin ransom in exchange for an assurance of data destruction.  Blackbaud says it paid the ransom and received the assurance of data destruction, but Cal Lutheran cannot be completely certain that the data was in fact destroyed. 

Based on that, Cal Lutheran decided to notify our community of the incident on the Cal Lutheran Web site and through email.

Q: Now that I’ve received this notice, what should I do?

A: Because the Cal Lutheran data in the Blackbaud environment doesn’t include Social Security numbers, credit card numbers, banking information, or anything else typically used to commit identity theft or other kinds of fraud, there really isn’t anything you should do at this time other than to continue to be vigilant about protecting your personal information generally because ransomware attacks unfortunately have become commonplace.  We reiterate that this incident did not affect any Cal Lutheran systems and that Cal Lutheran remains deeply committed to privacy and security.

Q:        Was Cal Lutheran hacked?

A:         No, Cal Lutheran was not hacked. Cal Lutheran vendor Blackbaud was the target of the ransomware attack.  

Q: Should I change the way I contribute money to Cal Lutheran because of this incident?

A: No, because Cal Lutheran does not use the Blackbaud environment for payment processing.  As noted, no credit card information was affected by this incident.

Q:        When did this incident occur?

A:         Frustratingly, Blackbaud did not disclose the incident to its customers, including Cal Lutheran, until July 16, 2020.  According to that disclosure by Blackbaud, the ransomware attack occurred in May of 2020.  

Q:        Did the hackers take any data?

A:         According to Blackbaud, the ransomware attacker stole Blackbaud customer data and demanded that Blackbaud pay a Bitcoin ransom in exchange for an assurance of data destruction.  Blackbaud says it paid the ransom and received the assurance of data destruction, but Cal Lutheran cannot be completely certain that the data was in fact destroyed.

Q:        Will Cal Lutheran be providing any sort of additional formal notification or providing credit monitoring services?

A:         Cal Lutheran is conducting a full investigation to determine the degree to which any sensitive information stored by Cal Lutheran in the Blackbaud environment was affected in the ransomware attack on Blackbaud.  If required by law, Cal Lutheran will promptly provide additional notice to potentially affected individuals.

Q:        What sort of data does Cal Lutheran store with Blackbaud?

A:         Fortunately, Cal Lutheran does not store any Social Security numbers, credit card information, or bank account information in the Blackbaud environment.  But the information stored by Cal Lutheran in the Blackbaud environment does include other less sensitive data types (such as name and date of birth). 

Q:        What will Cal Lutheran do to make sure this doesn’t happen again?

A:         Cal Lutheran’s systems were not compromised in any fashion, and Cal Lutheran remains deeply committed to privacy and data security.  As to Blackbaud, Cal Lutheran continues its investigation and will take all steps prudent to minimize the chances of something like this occurring again in the future. 

Q:        Will Cal Lutheran be providing additional updates?

A:         Our investigation is ongoing, but because this happened on Blackbaud’s, not Cal Lutheran’s systems, information available to Cal Lutheran is incomplete.  But if Cal Lutheran learns that additional updates or notifications would be beneficial to you, Cal Lutheran will provide those updates or notifications.

 

©