Skip to main content

Blackbaud Data Breach

Wed 29 Jul 2020

The information below relates to a data security incident with a third-party data services provider, Blackbaud, that has affected HEIs across the UK and US, including Trinity Laban and Blackheath Halls.

At Trinity Laban and Blackheath Halls, we take our data protection responsibilities very seriously. This information is shared to outline the investigative action we have taken, and will continue to take, to protect our community.

Background of Incident

We have been contacted by third-party service provider Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. We use this system to record our engagement with some members of our community, including alumni, staff and students, and extended networks and supporters. 

Blackbaud informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to copy a subset of data from a number of their clients. This included Trinity Laban and Blackheath Halls data.

We would like to reassure you that:

  • a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and third-party cyber security experts
  • Blackbaud have confirmed that the investigation found that no encrypted information, such as bank account details or passwords, was accessible
  • Blackbaud also confirmed that no credit card information formed part of the data theft

In order to protect customers’ data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid the ransom and received assurances from the cybercriminal that the data had been destroyed. They also advise that their cyber security experts are conducting a range of monitoring activities which have indicated that the data is not in circulation.

What information was involved?

It is important to note that no financial information was involved, such as bank account, credit card details, or passwords. Where we do hold such information, it is held in a secure encoded form, and this has not been affected by this incident.  

However, it is likely that a range of other personal information was accessed. Our database holds information about our alumni and supporters, and while many records are only partial, they can include details of dates of birth, contact information such as email addresses and phone numbers and a history of relationships with the Conservatoire, such as when people studied here, donation dates and amounts, and events organised by Trinity Laban or Blackheath Halls that people may have registered for or attended.

What is Trinity Laban doing about this?

Upon receiving information from Blackbaud, Trinity Laban and Blackheath Halls immediately launched our own investigation and have taken the following steps:

  • We have informed the Information Commissioner’s Office (ICO) of the breach and are awaiting further guidance
  • We have notified individuals to make them aware of this breach of Blackbaud’s systems and advised them on how they can remain vigilant
  • We are working with other universities to share knowledge and best practice
  • We are working with Blackbaud to understand why this happened, why there was a delay between them finding the breach and notifying us, and what actions they have taken to increase their security

Do I need to do anything to protect myself?

There is no need for affected parties to take any action at this time. We are assured by Blackbaud that the incident has been resolved. As best practice, we recommend affected parties remain vigilant and promptly report any suspicious activity, or phishing attacks attempting to solicit information from you, to the authorities. 

If you would like to contact us to find out more about this, or about the data we hold about you, please contact blackbaudqueries@trinitylaban.ac.uk  

What happens next?

We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team. We are fully committed to updating you again if we receive any information that is contradictory to this email, or if we are required to take further steps.

What if I want you to delete my details from your system?

If this is something you would like us to do, please contact us directly at dataprotection@trinitylaban.ac.uk. Please note that we may need to retain a minimum amount of information for statutory purposes.

If you would like to find out more about Trinity Laban’s data protection policies and your data rights please read our privacy policies.