A recent security incident involving one of our third-party vendors
To our Donors and Evans Scholar Alumni:
At Western Golf Association/Evans Scholar Foundation (“WGA/ESF”), we value and respect the privacy of your information, which is why, as a precautionary measure, we are writing to inform you of a recent security incident involving one of our third-party vendors that may have exposed some information about our donors and Evans Scholar Alumni and share some steps that you can take to help protect yourself.
On July 16, 2020, we were notified by one of our third-party vendors, Blackbaud, that it had experienced a security incident potentially involving limited personal information about our donors and Evans Scholars Alumni. Blackbaud is a widely used constituent relationship management software provider for engagement and fundraising offices in higher education and nonprofits. Blackbaud informed us that they discovered and stopped a ransomware attack, but not before some data may have been exposed. According to information provided to us by Blackbaud, the cybercriminal removed a copy of our backup file for the purpose of extorting funds from Blackbaud. Blackbaud stated that the ransomware attack and data theft occurred at some point between February 7, 2020 and May 20, 2020. Blackbaud further stated that they have taken additional steps to ensure that the file was permanently deleted. Additional information about this incident can be found here.
Blackbaud has informed us that the cybercriminal did not access credit card information, bank account information or social security numbers, which are all stored in an encrypted format in a separate system that was not accessed. However, Blackbaud has determined that the stolen file may have contained demographic information about our donors and alumni, including names, dates of birth, telephone numbers, email and postal addresses, and information pertaining to your relationship with WGA/ESF, including donation dates and amounts, if applicable.
Based on the nature of the incident, their research, and third-party (including law enforcement) investigation, Blackbaud has assured us that it has no reason to believe that any data went beyond this cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Although Blackbaud has no evidence of actual misuse of any of this information, we are notifying you out of an abundance of caution. Ensuring the safety of our constituents’ personal information is of the utmost importance to us. Blackbaud has further noted that they have hired a third-party team of experts to monitor the dark web as an extra precautionary measure.
As part of its ongoing efforts to avoid an event like this from happening in the future, Blackbaud has affirmed to WGA/ESF that it has already implemented changes to protect its system from any subsequent incidents. Since learning of the issue, Blackbaud identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has taken actions to fix it. The company has also confirmed through testing by multiple third parties, including the appropriate platform vendors, that their fix withstands all known attack tactics. Additionally, Blackbaud is accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms.
As a best practice, we recommend you remain vigilant for incidents of fraud and identity theft by reviewing your account statements and monitoring your credit reports for unauthorized activity. You should promptly report any suspicious activity to your financial institution, proper law enforcement authorities, including your state’s Attorney General’s office, and each of the three nationwide credit reporting agencies. For your convenience, the contact information for these agencies is below:
- Equifax, PO Box 740241, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
- Experian, PO Box 2104, Allen, TX 75013, www.experian.com, 1-888-397-3742
- TransUnion, PO Box 2000, Chester, PA 19022, www.transunion.com, 1-800-888-4213
Should you have any further questions or concerns regarding this matter, please do not hesitate to contact us at 888-242-4557 between 8:30 a.m. – 4:30 p.m. Central Time, Monday through Friday.