By Ryan Morris
Addresses, phone numbers, emails — this is all information Western has about alumni, students, parents and donors. A data breach in May at Blackbaud Inc. has forced Western to reevaluate its relationship with data keeping. Western was informed of the breach in July.
According to Blackbaud Inc.’s security incident statement, they discovered and stopped the attack in May. Western is among Blackbaud’s clients whose data was stolen; the university announced the breach in October.
“In a ransomware attack, cybercriminals attempt to disrupt the business by locking companies out of their own data and servers,” according to Blackbaud’s statement.
The announcement explained the cybercriminal did succeed in stealing data, but they destroyed their copy when Blackbaud Inc. paid them what they demanded. Blackbaud wrote they don’t believe the data went public, and they did not name the cybercriminal.
Any Western data after July 2019 was not stolen from Blackbaud, according to an Oct. 29 Western Today announcement.
Mark Brovak, chief operating officer for University Advancement, said the stolen data was for the Western Foundation. Brovak said the data consisted of records for alumni, donors and anyone else associated with Western who are not current students. University Advancement uses this data to update the community on Western’s activities and ask for donations, Brovak said.
Brovak said the breach didn’t include student data, and the cybercriminal did not steal credit information or social security numbers because University Advancement doesn’t store them. He said University Advancement stores data such as addresses and emails, making this a low severity data breach due to the lack of account numbers or credit monitoring.
Beth Cate, a current clinical associate professor at Indiana University and a former lawyer with expertise in data privacy and security, agreed with Brovak. Cate said private types of data, such as social security numbers, are more easily used for identity theft. Social security numbers are an
example of private data because they cannot readily be found online, Cate explained. The breached information was likely already public through social media and consumer behavior, Cate suggested.
“The reality is we make this information available every day,” Cate said. “I encourage [everyone] to think more critically about what they make available.”
Western sent letters to everyone affected by the breach. These letters were the only notice, Brovak wrote in an email to The Western Front. The states of Washington, Colorado and North Dakota require this notice be a hard copy; other states only require a notice if the breach included financial information, he wrote.
“The WWU Foundation, the Alumni Association of WWU and the university sent a joint letter out to each person residing in these states who was included in the data breach,” Brovak wrote in an email to the Front.
Western alum Tiffany King received one of these letters. King said they don’t blame Western for the attack, but they believe the university needs to learn from this incident about keeping others’ data.
King said their biggest concern was a lack of follow up from Western. They said they expected more than the letter.
Brovak said anyone can email him, and University Advancement will follow up. University Advancement has been busy keeping in touch with everyone affected and answering concerns when necessary, Brovak said.
Western director of communication, Paul Cocke, said he is proud of how Western has handled this incident. Cocke received a letter himself. He said Western works hard to protect student data.
“I appreciate Advancement’s diligence in responding to this. They stepped up to the plate and did the right thing,” Cocke said. “I appreciated getting the letter. It was well written and communicated what I needed to know.”
Cate said transparency is the best practice for universities experiencing a data breach.
“Where universities need to pay the most attention is sharing information with third-party vendors,” Cate said. “Inevitably, breaches happen to everyone. There is no silver bullet against that. You do the best you can, and are very transparent about what you’re doing.”
Although Blackbaud Inc. sent an email to Western and had a help desk regarding the attack, Brovak does not approve of how they are following up on the incident.
“We are reevaluating our relationship with Blackbaud. Clearly, Blackbaud has a great deal of work to do to regain the trust of its many, many clients throughout the U.S. and Europe. We will see how they address the gaps that contributed to this breach and then make a determination,” Brovak wrote in an email to the Front.
Brovak explained that Blackbaud has not communicated their next steps for prevention. He said Blackbaud Inc.’s communication has been poor, and they need to provide more clarity about what problems allowed this breach to happen.
“We’d love to see what [the issue] was, how they correct that and what they’re going to do to be sure this doesn’t happen again,” Brovak said. “There needs to be communication from [Blackbaud Inc.] that spells this out.”
Blackbaud wrote that it implemented changes, but these are not listed in their incident statement. Independent reviewers who have evaluated Blackbaud’s program said it exceeds expectations, Blackbaud Inc. wrote on its security page.
Brovak said University Advancement will reevaluate their contract with Blackbaud in the 2021 calendar year. The Foundation’s contract with Blackbaud opens for renewal in the spring, Brovak said. Getting rid of Blackbaud means getting rid of University Advancement’s database, Brovak explained.
“There’s nobody that does what Blackbaud does,” Brovak said. “It’s not like there are other organizations that do this kind of work. It’s we do or we don’t.”
He said this decision will include many voices from both Western and the Foundation. Brovak said Western’s community can never be sure this won’t happen again, but Western can try to minimize the risk.
“We can never say never, but this event has raised awareness among the hundreds of universities, foundations and nonprofits that utilize Blackbaud’s services,” Brovak wrote in an email to the Front.