We take data protection very seriously and very much regret that some members of our University family have been affected. In addition to the information we sent via email, we hope that the below information will help to answer some of the questions you may have if you have been affected.
FAQ list
We informed affected alumni and supporters as soon as we had sufficient information to determine the risks to data subjects, following our investigation into this incident.
Please see a timeline of events below:
- On 16 July 2020 the University of Kent was notified by Blackbaud that it had experienced a serious information security incident involving a limited subset of University of Kent data.
- We immediately actively engaged with Blackbaud to ascertain the extent of the breach and have undertaken a risk assessment.
- Blackbaud confirmed that the ransom-ware attack occurred in May 2020. We are seeking explanation from Blackbaud about what caused the delay in notifying us. We are disappointed that they did not inform us sooner so that we could have notified affected individuals earlier.
- We received sufficient information from Blackbaud about which University of Kent records were affected by Monday 27 July.
- We contacted our affected alumni and supporters on Tuesday 28 July.
The University of Kent is the ‘Data Controller’ for any data held/processed by third party service providers. That means that the University is responsible for ensuring that third party service providers process data according to the law, have technical and organisational measures to ensure the security of the data that is being processed and ensure that once the contract for service has ended that the supplier securely destroys any data that it has processed as part of that contract.
The University requires third party suppliers to enter into data processing contracts with the University to ensure that they process any personal data under the instruction of the University and that they maintain the same rigorous standards that would apply if the University was processing the data themselves.
Blackbaud have been working with law enforcement authorities and third-party cyber-security experts throughout the incident. They also hired a third-party team of experts to monitor the dark web as an extra precautionary measure. To date they have found no evidence of the data being sold or discussion about the dataset.
Blackbaud chose to pay the ransom, the University was not consulted on the decision and we were unaware that a payment had been made until after the fact, when Blackbaud initially informed us of the breach.
We are seeking clarification from Blackbaud about the assurances they received that records were deleted by the cybercriminal after the ransom was paid.
We advise that you exercise caution with suspicious emails, phone calls and text messages. The National Cyber Security Centre has a useful website with information about data security. Please see this article for more information: https://www.ncsc.gov.uk/guidance/suspicious-email-actions
The cybercriminal did not access credit card information or bank account information. Blackbaud have confirmed that this information was not held in the area of the database that the cyber criminal gained access to.
As part of remaining vigilant to identity theft, if you notice any suspicious activity on your bank account, please report this to your bank.
Update - 06/10/2020
Blackbaud has discovered that for a limited subset of its customers the data compromised included unencrypted bank account details. They have confirmed that this does not apply to Kent.
Blackbaud has confirmed that no passwords were accessed as part of the attack.
As part of remaining vigilant to identity theft, you may want to consider if the passwords that you use are secure. Please see this guidance from the National Cyber Security Centre about creating a strong and separate password for your email: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/use-a-strong-and-separate-password-for-email
The Alumni site no longer has a log in area. We withdrew this service in July 2019, therefore passwords used to access that area are no longer valid. Blackbaud has confirmed that no passwords were accessed as part of the attack.
The University of Kent takes data protection very seriously. We have contracts in place with all our third party suppliers to ensure that they uphold our standards to protect the personal data that they process on our behalf.
We very much regret that our supplier’s failure in security on this occasion has compromised some of our records. We will be reviewing our contract with Blackbaud and seeking evidence that they have strengthened their security measures.
Please see the Alumni Office Privacy Notice: https://www.kent.ac.uk/alumni/privacy
The cyber-criminal did not access all records stored in Blackbaud’s cloud. Therefore, not all of Kent’s data was compromised in the attack. Alumni/supporters of Kent who had higher risk personal details compromised by the incident have been informed. If you did not receive an email, it is unlikely that your details were accessed as part of the breach.
Advice from ActionFraud, the National Fraud & Cyber Crime Reporting Centre, says that unauthorised payments, messages that you don't recognise, or logins from strange locations can indicate that someone is accessing your account. If you see unusual account activity, start by contacting your account provider. If you also think you may have lost money, phone your bank/utility.
If you think you have been a victim of fraud or cybercrime, report it to Action Fraud at www.actionfraud.police.uk Action Fraud is the UK’s national reporting centre for fraud and cyber crime where you should report fraud if you have been scammed, defrauded or experienced cyber crime.
If you have received an email which you’re not quite sure about, you can forward it to the Suspicious Email Reporting Service (SERS) report@phishing.gov.uk