CSU system investigating wide-reaching Blackbaud cyberattack

A spokesperson for the CSU Chancellor’s Office told EdScoop that all 23 of its campuses use software from Blackbaud, which recently paid its cyberattckers to delete stolen customer data.
California State University, Northridge campus
Students gather at California State University, Northridge. (CSU)

Administrators at California State University, Northridge sent a letter to students on Friday indicating that some of their personal information may have been involved in a recent cyberattack against one of its cloud-based service providers. Upon contacting the CSU Chancellor’s Office, EdScoop has learned that the breach may have affected any of the 23 campuses in the public university system that enrolls nearly half a million students.

The notice adds another name to the list institutions where data was stolen amid an extended cyberattack against the software company Blackbaud between last February and May.

The cyberattack was disclosed to CSU Northridge and other higher education institutions, nonprofits, religious groups, health care organizations and corporations that Blackbaud counts among its customers on July 16, weeks after the company identified a ransomware attack, which it claims to have thwarted.

Despite preventing its files from being encrypted, the company explained in a July 16 blog post that “the cybercriminal removed a copy of a subset of data from our self-hosted environment.” Though the company said those files did not contain financial or Social Security information, it agreed to pay the cyberattacker to delete the stolen data.


“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” Blackbaud’s statement reads. “This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment.”

Lenoir-Rhyne University, a private school in Hickory, North Carolina, posted a notice last week that it had also been notified by Blackbaud, and named some of the data sets that had been compromised: “names, contact information, demographics, degree information, campus affiliations, memberships, and other data internal to Lenoir-Rhyne’s fundraising and engagement activities, such as event participation, and giving history.”

Blackbaud — whose customers include organizations as wide-ranging as the Sacramento Zoo, the Catholic Diocese of Trenton and the University of London — did not respond to a request for information about which organizations were affected, but many of those who were notified by the company have in recent days released notices to their customers or student bodies.

According to the letter from CSU Northridge, the California State University system is currently working with the company to “better understand their timeline for notification, what data was potentially exposed, and what improvements they are making to their security protocols to ensure this does not happen again.”

The university customers listed on Blackbaud’s website include the University of Notre Dame, University of South Dakota, University of Central Arkansas and Wake Tech Community College in Raleigh, North Carolina. Days after the initial disclosure, the BBC confirmed another dozen organizations that had been affected by the data leak, including the Rhode Island School of Design and many universities based in the U.K., such as University of Leeds and University of York.


A spokesperson for the CSU Chancellor’s Office told EdScoop that all campuses in the California State University system use Blackbaud “for a variety of services.”

“[H]owever due to the variance in utilization of services across the campuses, we are still gathering information about the potential impacts to the university,” CSU’s Michael Uhlenkamp wrote in an email. “We continue to engage Blackbaud to determine details of this security incident and any proposed remediation plans.”

Despite the company’s statement that the attacker deleted the stolen data and that it won’t be made public, no university has been able to verify that claim, and some, like CSU Northridge, are encouraging their students to watch their credit reports.

Latest Podcasts