August 14, 2020
The Saint Paul Seminary (TSSP) were recently notified of a data incident regarding Blackbaud, Inc. (Blackbaud) that involved personal information about some TSSP friends and supporters. Numerous non-profits were affected by this incident, including Saint John Vianney College Seminary and The Saint Paul Seminary. We take this incident very seriously. This notice describes what happened, what we are doing, and what steps you can take.
Blackbaud provides certain information management services through a product called ResearchPoint. On July 16, 2020, we received notification that on May 14, 2020, Blackbaud discovered a ransomware attack that involved information maintained for TSSP in ResearchPoint. A cybercriminal removed a backup copy of our data in ResearchPoint from Blackbaud’s self-hosted storage environment. According to Blackbaud, this incident occurred between February 7, 2020 and May 20, 2020.
When Blackbaud became aware of this incident, it took steps, together with independent forensics experts and law enforcement, to prevent the cybercriminal from blocking Blackbaud’s system access and fully encrypting files, and ultimately expelled the cybercriminal from Blackbaud’s system. Blackbaud paid the cybercriminal’s ransom demand with confirmation that the copy removed by the cybercriminal had been destroyed. Finally, Blackbaud confirmed that that none of this data was lost or corrupted as a result of this incident.
WHAT INFORMATION WAS INVOLVED
In 2018, TSSP utilized ResearchPoint to analyze our database of TSSP friends and supporters in preparation for a capital campaign. The information we sent included some or all of the following information, depending on what information we had on file for each person whose data was affected: name, spouse’s name, mailing address, telephone number, email address, date of birth, and information about the individual’s relationship with TSSP.
The information submitted to ResearchPoint did not include: Social Security Numbers, credit card or bank information, or any passcodes. TSSP neither keeps nor shares this information in its database, and Blackbaud has confirmed that data removed by the cybercriminal did not contain any credit card information and that the cybercriminal did not gain access to bank account information, usernames, passwords or Social Security Numbers.
WHAT WE ARE DOING
We have been working with Blackbaud to enhance our understanding about this incident and Blackbaud’s data security and to help prevent a similar incident from occurring in the future. Blackbaud notified us that it has implemented changes so that such an incident does not happen again.
Blackbaud said that based on the nature of this incident, Blackbaud’s research, and investigations conducted by third parties including law enforcement, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud also has retained a third-party team of experts to monitor the dark web as an extra precautionary measure.
WHAT YOU CAN DO
While no credit card or payment data was involved in this incident, we encourage you to always closely review your payment card statements for any unauthorized charges. Immediately report any unauthorized charges to the bank that issued your card, as payment card network rules generally provide cardholders are not responsible for unauthorized charges when timely reported.
FOR MORE INFORMATION
We regret that this incident occurred and sincerely apologize for any inconvenience this may have caused. If you have any questions, please contact Tom Ryan, Vice President for Institutional Advancement, at (651) 962-5054.
ADDITIONAL STEPS YOU CAN TAKE
It is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity.
You may obtain a copy of your credit report, free of charge, once every twelve months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
- Equifax, PO Box 740241, Atlanta, GA 30374, equifax.com, 1-800-685-1111
- Experian, PO Box 2002, Allen, TX 75013, experian.com,1-888-397-3742
- TransUnion, PO Box 2000, Chester, PA 19016, transunion.com, 1-800-916-8800
You may also consider contacting the three nationwide credit reporting companies directly if you wish to obtain information about fraud alerts and security freezes.
If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records.
Contact information for the Federal Trade Commission is as follows:
- Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580, gov, 1-877-ID-THEFT (438-4338)
To obtain information about fraud alerts, visit https://www.consumer.ftc.gov/articles/0275-place-fraud-alert.
To obtain information about security freezes, visit https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs.