Dear OWs, parents and friends of MCS
You may have read in the news about a data breach experienced by Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software.
We have been informed by Blackbaud that a back-up copy of MCS data in the NetCommunity part of their software was part of the cybercriminal attack. Blackbaud has provided us with assurances on the encryption of data and confirmed that – based on the nature of the incident, Blackbaud’s research and third-party (and law enforcement) investigation – they have no reason to believe that any data went beyond the original attacker, or has been otherwise misused; nor that it will be further disseminated or made publicly available.
Nevertheless the school is working closely with Blackbaud and as a precaution has informed both the Information Commissioner’s Office and the Charity Commission. The NetCommunity system is used at MCS to send bulk emails and to store OW profiles. As you are receiving this email, your email address will have been used in NetCommunity. OW profiles are in a password-protected part of the NetCommunity. Details such as name and address would have been included and could have been supplemented by telephone numbers, event attendance, donation history, education, professional details and any free text information on a Personal Information Form. The likely risk is not currently believed to be significant and so there is no need for any action at this time.
Up to January 2019, financial transactions could be made through NetCommunity, including credit card gifts and the online purchase of OW event tickets. We are assured that card information was encrypted such that it cannot be used. I intend to review the details of every past financial transaction made through NetCommunity in order to write this week to anyone who should be particularly made aware of this incident; while we know credit card data was encrypted, there may be some at a heightened risk of phishing attacks. If you ever have any concern about the veracity of a communication from MCS please contact Reception or the Waynflete Office.
I want to be completely open in this matter in the hope that you will feel confident in your relationship with MCS on fundraising, alumni relations and community matters. I do not want future pupils who would otherwise be at MCS through donated bursaries to be the ones who bear the real impact of this sort of cybercrime.
Please find below more information and feel free to email me directly on email@example.com or via firstname.lastname@example.org. Alternatively, you can phone the School Reception (01865 242191) and leave a message for me to call you.
DIRECTOR OF THE WAYNFLETE OFFICE
On 16 July 2020, we were contacted by our third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for the Higher Education sector. Blackbaud informed us that they had discovered and stopped a ransomware attack in May 2020 and that the cyber-criminal was able to remove a copy of a subset of data from a number of their clients, including other UK universities and schools.
Since then we have been working to establish the facts and now understand that the data breach involved information in an area of our system called NetCommunity, which we use to host alumni profiles and send bulk emails, and which was formerly used by MCS to process financial transactions such as credit card donations, purchased tickets to OW events, and merchandise. The system was used for financial transactions between October 2014 and January 2019, although most transactions after 2017 were not processed through this system.
Our understanding of the situation is:
The breach does not affect financial donations or OW ticket sales made by bank transfer, cheques, foundation giving, payroll giving, standing orders or direct debits.
What information was involved
The data compromised was a back-up file from an area of our system called NetCommunity. The information involved will vary on a case-by-case basis:
We have been informed that in order to protect client data and mitigate potential identity theft, Blackbaud paid the ransom demand and received assurances from the cybercriminal that the data was destroyed.
We have taken the following steps:
What you can do
There is no need for you to take any action at this time. You will hear from us directly if we believe that you may be at a heightened risk of a phishing attack.
Please do remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities. If you ever have any concerns about the veracity of a communication from MCS please contact Reception or the Waynflete Office.