Notice of third-party service provider (Blackbaud) data breach

Recently, the University of Regina was advised by third-party service provider Blackbaud - one of the world’s largest cloud computing providers - that it had experienced a ransomware attack that impacted many of its clients around the world. Charitable organizations, foundations, and universities in the UK, New Zealand, the United States, and Canada - including the U of R - were affected.

The U of R uses Blackbaud’s customer relationship management (CRM) software solutions to manage its alumni, donor, and organization data and to communicate with various members of the University community.

The security incident involved unauthorized access to data primarily sourced from publicly available information. It did not include financial data such as banking or credit card information, social insurance numbers or social security numbers.

Data that may have been compromised included information such as name, date of birth, contact information, donation history or engagement with the U of R.

The security incident did not affect the core Blackbaud software systems used by the U of R. ResearchPoint, a secondary Blackbaud software system used by the U of R for donor prospect research purposes, was the only affected system used by the U of R and its use has been decommissioned by the University. No academic or student information systems were affected.

Blackbaud informed the U of R that the cybercriminal destroyed the stolen data after they were paid a ransom by Blackbaud, and that research by Blackbaud and third-party investigators (including law enforcement) shows no evidence that the data has been shared by the cybercriminals. As a precautionary measure, Blackbaud has engaged a team of third-party digital experts who will continue to monitor the internet for any signs of the comprised data, including that of the U of R.

Blackbaud has released a public statement that can be viewed here: https://www.blackbaud.com/securityincident.

In response to this incident, the University has:

• Informed the Information and Privacy Commissioner of Saskatchewan and will continue to work closely with the Commissioner’s office in responding to this incident;
• Actively engaged with Blackbaud to understand why this happened and what actions they are taking to mitigate risk of such incidents in the future; and,
• Decommissioned the use of the ResearchPoint system in our environment.

The privacy of our alumni, donors, students, employees, and partners is extremely important to the U of R and for that reason we acted promptly to understand the nature of what happened and mitigate further risk through the decommissioning of the affected system.

The University sincerely regrets any inconvenience Blackbaud’s security incident may have caused.  We are here to address your questions or concerns. You can contact us regarding this incident by emailing: blackbaud.response@uregina.ca.