California State University, Northridge administrators informed educators, students and staff Friday that they all may have been affected by a massive security breach suffered this spring by Blackbaud, CSUN’s third-party technology provider.

Here’s the letter sent to the CSUN community about the incident:

We regret to inform you that California State University, Northridge and numerous campuses in the California State University system, as well as other universities and non-profit organizations around the world, have received notice from third-party technology provider Blackbaud, a software and cloud hosting solutions provider for CSUN and other major universities, that between February and May 2020 hackers breached its network and attempted to install ransomware to lock the company’s customers out of their data and servers.

The hackers stole a subset of data from its self-hosted environment where clients save files.

Blackbaud paid a ransom demand so the hackers would delete data they stole from its network. CSUN has no way to independently verify that the stolen data was deleted.

Blackbaud’s statement said in part, “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly. This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment. The subset of customers who were part of this incident have been notified and supplied with additional information and resources.”

Blackbaud added it “will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.”

To read Blackbaud’s full statement on the incident, click here.

Blackbaud asserts that no credit card data was compromised and that all sensitive information such as social security numbers, government ID numbers, etc., was encrypted.

CSUN and other CSU campuses operate transparently and work hard to earn the public’s trust. The campuses take privacy and information security very seriously, and protecting personal data and information is a top priority. We strive to be accountable with students, faculty, staff, the community and businesses. This means sharing and updating information and making it readily available to the public. That is why it is troubling that Blackbaud waited so long to notify the CSU and other clients about the data incident that took place two months ago.

The CSU system is in discussion with Blackbaud to better understand their timeline for notification, what data was potentially exposed, and what improvements they are making to their security protocols to ensure this does not happen again.

For anyone concerned about identity theft, CSUN recommends regularly reviewing account statements and periodically obtaining a credit report from one or more of the national credit reporting companies. Everyone may obtain a free copy of their credit report once every 12 months by either visiting www.annualcreditreport.com, calling toll free at 1-877-322-8228 or by completing an Annual Credit Report Request Form.

While Blackbaud is responsible for the data breach, CSUN and the CSU deeply regret any inconvenience this incident has caused.

Sincerely,

Robert Gunsalus
Vice President for University Relations and Advancement and Foundation President

Ranjit Philip
Interim Vice President for Information Technology and CIO