- About MCS
MCS ranks among the top independent secondary schools in The Sunday Times Schools Guide 2024, placed seventh nationally and third in the Southeast. - Admissions
Approximately 1 in 10 pupils receive a bursary or scholarship. We are committed to ensuring an MCS education is open to the brightest pupils, no matter their personal circumstances.
- Junior School
“The Junior School is a very busy and happy school and here, a smile goes a long way.”
MCS ranks among the top independent secondary schools in The Sunday Times Schools Guide 2024, placed seventh nationally and third in the Southeast.
- Senior School
39 of our pupils achieved 10 or more 8 or 9 grades in 2023. - Sixth Form
Over 25% of our Sixth Form pupils take up places at Oxford and Cambridge every year.
- Supporting MCS
Your donations contribute over £150,000 a year to bursaries as well as building an endowment to fund bursaries for the future.
39 of our pupils achieved 10 or more 8 or 9 grades in 2023.
Your donations contribute over £150,000 a year to bursaries as well as building an - About MCS
MCS ranks among the top independent secondary schools in The Sunday Times Schools Guide 2024, placed seventh nationally and third in the Southeast.
- Admissions
Approximately 1 in 10 pupils receive a bursary or scholarship. We are committed to ensuring an MCS education is open to the brightest pupils, no matter their personal circumstances.
- Junior School
“The Junior School is a very busy and happy school and here, a smile goes a long way.”
- Senior School
39 of our pupils achieved 10 or more 8 or 9 grades in 2023.
- Sixth Form
Over 25% of our Sixth Form pupils take up places at Oxford and Cambridge every year.
- Supporting MCS
Your donations contribute over £150,000 a year to bursaries as well as building an endowment to fund bursaries for the future.
Message to OWs, Parents, and Friends of MCS
…
Dear OWs, parents and friends of MCS
You may have read in the news about a data breach experienced by Blackbaud, one of the world’s largest providers of education administration, fundraising, and financial management software.
We have been informed by Blackbaud that a back-up copy of MCS data in the NetCommunity part of their software was part of the cybercriminal attack. Blackbaud has provided us with assurances on the encryption of data and confirmed that – based on the nature of the incident, Blackbaud’s research and third-party (and law enforcement) investigation – they have no reason to believe that any data went beyond the original attacker, or has been otherwise misused; nor that it will be further disseminated or made publicly available.
Nevertheless the school is working closely with Blackbaud and as a precaution has informed both the Information Commissioner’s Office and the Charity Commission. The NetCommunity system is used at MCS to send bulk emails and to store OW profiles. As you are receiving this email, your email address will have been used in NetCommunity. OW profiles are in a password-protected part of the NetCommunity. Details such as name and address would have been included and could have been supplemented by telephone numbers, event attendance, donation history, education, professional details and any free text information on a Personal Information Form. The likely risk is not currently believed to be significant and so there is no need for any action at this time.
Up to January 2019, financial transactions could be made through NetCommunity, including credit card gifts and the online purchase of OW event tickets. We are assured that card information was encrypted such that it cannot be used. I intend to review the details of every past financial transaction made through NetCommunity in order to write this week to anyone who should be particularly made aware of this incident; while we know credit card data was encrypted, there may be some at a heightened risk of phishing attacks. If you ever have any concern about the veracity of a communication from MCS please contact Reception or the Waynflete Office.
I want to be completely open in this matter in the hope that you will feel confident in your relationship with MCS on fundraising, alumni relations and community matters. I do not want future pupils who would otherwise be at MCS through donated bursaries to be the ones who bear the real impact of this sort of cybercrime.
Please find below more information and feel free to email me directly on sbaker@mcsoxford.org or via waynfleteoffice@mcsoxford.org. Alternatively, you can phone the School Reception (01865 242191) and leave a message for me to call you.
Yours,
SUSANNAH BAKER
DIRECTOR OF THE WAYNFLETE OFFICE
What happened
On 16 July 2020, we were contacted by our third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for the Higher Education sector. Blackbaud informed us that they had discovered and stopped a ransomware attack in May 2020 and that the cyber-criminal was able to remove a copy of a subset of data from a number of their clients, including other UK universities and schools.
Since then we have been working to establish the facts and now understand that the data breach involved information in an area of our system called NetCommunity, which we use to host alumni profiles and send bulk emails, and which was formerly used by MCS to process financial transactions such as credit card donations, purchased tickets to OW events, and merchandise. The system was used for financial transactions between October 2014 and January 2019, although most transactions after 2017 were not processed through this system.
Our understanding of the situation is:
- The cybercriminal did not gain access to full credit card details because they were encrypted;
- A detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts;
- There is no reason to believe that any data went beyond the cyber-criminal, was or will be misused or made available publicly;
- Blackbaud have identified the vulnerability associated with this incident and have confirmed that they have addressed it.
The breach does not affect financial donations or OW ticket sales made by bank transfer, cheques, foundation giving, payroll giving, standing orders or direct debits.
What information was involved
The data compromised was a back-up file from an area of our system called NetCommunity. The information involved will vary on a case-by-case basis:
- Anyone receiving this email will have their email address in the NetCommunity data back-up.
- For our OW community, this will depend on any further profile information added in the password-protected area of the OW website. Basic details such as name and address would have been included and could have been supplemented by telephone numbers, event attendance, donation history, education and professional details. If you included free text information on an OW Personal Information Form, this would have been stored in the back-up. Each OW has a password to allow them to access their own profile and this password was encrypted.
Â
Steps taken
We have been informed that in order to protect client data and mitigate potential identity theft, Blackbaud paid the ransom demand and received assurances from the cybercriminal that the data was destroyed.
We have taken the following steps:
- We have informed the Information Commissioner’s Office (ICO) and the Charity Commission of this breach;
- We are working with Blackbaud to confirm why there was a delay between them finding the breach and notifying us;
- We are notifying constituents who use email and our online systems so that they are aware of this breach to Blackbaud’s system and can remain vigilant;
- We will review the details of every financial transaction made through NetCommunity in order to write to anyone who we believe should be particularly made aware of this incident; while we know data was encrypted, there may be some at a heightened risk of phishing attacks;
- We are working closely with the school’s lawyers and Blackbaud and will publish any further updates in the coming weeks should they be required;
- We will continue our Conveniamus bursary campaign and remain confident that the donation channels we have in place are not affected by this incident.
What you can do
There is no need for you to take any action at this time. You will hear from us directly if we believe that you may be at a heightened risk of a phishing attack.
Please do remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities. If you ever have any concerns about the veracity of a communication from MCS please contact Reception or the Waynflete Office.
