Blackbaud Data Security Incident

Published August 7, 2020

The information below relates to a data security incident that occurred at Blackbaud, a third-party service provider of the Oklahoma State University Foundation. This incident occurred on Blackbaud’s systems, not on the OSU Foundation’s systems. We take our data protection responsibilities very seriously and have launched our own investigation. This website will be updated as we learn more.

What happened

Blackbaud is one of the world’s largest providers of customer relationship management systems. It provides record-keeping services for the OSU Foundation, as well as other foundations, health care organizations, and educational institutions within the non-profit sector.

Blackbaud informed the OSU Foundation on July 16 that it was the victim of a data security incident in May 2020. The OSU Foundation has since been working diligently to assess the scope and resulting effects that Blackbaud’s incident may have had on our information.

Blackbaud, assisted by independent digital forensics experts and law enforcement, has conducted an investigation into the incident. Specific to the OSU Foundation, please be assured that NO Social Security numbers, bank account numbers, or credit/debit card numbers were involved in the incident.

Currently, based upon the information we have received from Blackbaud, the data accessed may have contained names, phone numbers, addresses, email addresses, giving information, and publicly available donor analytics data. Blackbaud has informed the OSU Foundation that it has no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. Our investigation is still ongoing and our own cybersecurity experts are working to verify this.

Steps the OSU Foundation has taken and what you can do

Ensuring the safety of our donors’ data is of the utmost importance to us. Upon notification of the data breach, the OSU Foundation immediately launched its own internal investigation. The internal investigation is led by the Foundation’s Privacy Incident and Breach Management Team, which has been in place for over three years.

While we do not believe there is a need for you to take any action at this time, it is a general best practice to remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

What Blackbaud is doing

As part of its ongoing efforts to help prevent something like this from happening in the future, Blackbaud has confirmed it has already implemented changes to protect its system from any subsequent incidents. In addition, it has hired a third-party security service to monitor its systems for any suspicious activity.

Blackbaud has also identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has taken actions to fix the issue. It has also confirmed through testing by multiple third parties, including the appropriate platform vendors, that the fix can withstand all known attack tactics. Additionally, Blackbaud is accelerating its efforts to further harden its environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based threat detection software.

For more information

We will continue to work with Blackbaud to investigate this incident. Please be assured we take data protection and privacy very seriously at the OSU Foundation and have multiple internal systems in place to preserve the integrity of this information. We are grateful for the continued support of our Cowboy Family alumni and friends.

If you would like an OSU Foundation representative to contact you to further discuss, please email or call 800-622-4678.