Blackbaud mum on which universities had Social Security data stolen

The company revised its story last week, but it's still not saying which universities were affected by the cyberattack discovered last May.
social security card
(Getty Images)

The cloud-based service provider Blackbaud last week updated its story about a cyberattack affecting its servers earlier this year, noting that hackers had gained access to unencrypted banking information and Social Security numbers for some of its customers. And while philanthropic organizations around the world have been affected by the attack, the company has declined to share publicly how many universities were involved in a breach now known to be more serious than previously reported.

In an email to EdScoop, a company spokesperson said Blackbaud is not publicly disclosing the identities of the affected organizations, and has instead chosen to notify them each privately.

“To respect the privacy of our customers, we cannot provide the names of those who were part of this incident nor can we discuss any customer specifically,” the spokesperson wrote.

The company also said “the majority” of its customers were not affected by the incident, though dozens of organizations — including universities, nonprofits and hospitals — have announced that their customers’ data was exposed by the cyberattack in some way. (Bloomberg Law reported Tuesday that two patients of New York hospitals have filed lawsuits against Blackbaud, claiming the company violated state consumer protection laws and did not comply with data-protection standards.)


Blackbaud wrote in a Sep. 29 blog post that hackers removed data from the company’s private cloud environment.

“Forensic investigation found that for some of the notified customers, the cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords,” the company’s website reads.

Blackbaud’s statement also said the company paid the cybercriminal’s demand after receiving confirmation that the stolen information had been destroyed.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” the statement read.

In a blog post from July 16, which has since been revised, Blackbaud said the compromised data did not contain financial or Social Security information. An old version of the announcement indicated that the hack took place over the course of several months, from February to May, but that information has also been removed from the company’s website.


Some of the affected universities are known, but it’s unclear which, if any, saw their financial or Social Security data exposed. The California State University system told EdScoop earlier this year that the breach may have affected any of its 23 campuses. Other university customers listed on Blackbaud’s website include the University of Notre Dame, University of South Dakota, University of Central Arkansas and Wake Tech Community College in Raleigh, North Carolina.

Days after the initial disclosure, the BBC reported another dozen organizations had been affected by the data leak, including the Rhode Island School of Design and a handful of universities based in the U.K., such as University of Leeds and University of York.

Blackbaud customers also include organizations as wide-ranging as the Sacramento Zoo, the Catholic Diocese of Trenton and the University of London.

Colin Wood contributed reporting.

Betsy Foresman

Written by Betsy Foresman

Betsy Foresman was an education reporter for EdScoop from 2018 through early 2021, where she wrote about the virtues and challenges of innovative technology solutions used in higher education and K-12 spaces. Foresman also covered local government IT for StateScoop, on occasion. Foresman graduated from Texas Christian University in 2018 — go Frogs! — with a BA in journalism and psychology. During her senior year, she worked as an intern at the Center for Strategic and International Studies in Washington, D.C., and moved back to the capital after completing her degree because, like Shrek, she feels most at home in the swamp. Foresman previously worked at Scoop News Group as an editorial fellow.

Latest Podcasts