NORTH MANKATO — Numerous pieces of private information of 13,282 South Central College students, staff and alumni — including Social Security numbers, phone numbers, birthdates, campus ID numbers and more — were potentially obtained by a hacker who accessed the records through the SCC Foundation, the college warned in an email alert to affected individuals Friday afternoon.
A similar email was sent by Minnesota State University President Richard Davenport Friday to 45,487 students, staff, alumni and donors warning of the possible loss of private data to a cyberattack, but the data breach there did not include full Social Security numbers, according to the email.
In each case, the campus conceded that it violated privacy policies by sharing nonpublic personal information on students, staff and donors with nonprofit foundations that raise money for projects and programs at the two institutions.
The cyberattack by an unknown person or persons resulted in potential access to some of that data during a months-long hack of the computer systems of Blackbaud, a South Carolina-based cloud service company used by the SCC Foundations and the Minnesota State University, Mankato Foundation for fundraising purposes.
"As a result of this attack, an unidentified individual may have obtained some personally identifying information stored on Blackbaud's servers, including information about students, staff and alumni of the college and donors to the foundations," stated the nearly identical emails by Davenport and by Narren Brown, vice president of research and institutional effectiveness at SCC. "Private data about you may have been included in this incident."
SCC, which has campuses in North Mankato and Faribault, and MSU were far from alone in being impacted by the Blackbaud data breach. Hospital systems, nonprofit organizations and colleges across the country had information stored with Blackbaud. That included 12 of the state colleges and universities in the system of 37 public higher education institutions in Minnesota, according to Doug Anderson, communications director for the system.
The MSU Foundation stated that it does not store information related to bank accounts, credit cards or social security numbers on the Blackbaud site.
Davenport's email stated that the university had improperly shared private information with the foundation that may have included birthdate, country of birth, ethnicity, TechID and the final four digits of social security numbers, among other information.
By contrast, SCC's alert on Friday stated that the college had improperly provided even more personal information — namely Social Security numbers — to the foundation, violating its Family Educational Rights and Privacy Act policy. The college and MSU should have supplied only "directory information" such as a student's name, field of study and dates of attendance and "limited directory information" such as mailing address or email address.
"As part of its investigation into the Blackbaud data breach, the college also learned that it had provided information about you to the foundations that was not Directory Information or Limited Directory Information and should not have been disclosed without your consent or without notice to you," Brown wrote. "Data about you provided to the Foundations may have included your social security number, date of birth, address, telephone number, email address, Star ID and Student ID. This information may also have been part of the data obtained by the Blackbaud attacker."
The hacker demanded an undisclosed amount of ransom from Blackbaud, which the company paid.
"In order to protect this data, Blackbaud paid the attacker's demand and received confirmation that the data the attacker copied had been destroyed, although the college is not able to independently verify this has occurred," Brown wrote.
If Blackbaud's assurances to SCC are accurate, financial information of donors was not compromised.
"Blackbaud asserts that the attacker did not access credit card information, any bank information or social security numbers were encrypted and not accessible to the attacker," SCC Director of Marketing and Communications Shelly Megaw told The Free Press Friday night.
An investigation of the incident is continuing, and affected individuals will have a right under Minnesota law to receive the final report on the facts and details uncovered in the investigation.
Both MSU and SCC promised they would be revising data privacy notices to make clearer what data is provided to the foundations and provide all students with the ability to opt out of that data sharing. The emails from the institutions also stated that each "deeply regrets that this occurred and apologizes for the uneasiness and inconvenience this may cause you."
In response to a Free Press question about the five-month lag between when SCC learned of the cyberattack and the email alert, Megaw said: "Many factors were involved in the time required for notification including the complexity of determining the data that may have been compromised and the substantial demands on resources brought about by the pandemic."
Blackbaud initially promised that private financial information had not been breached but backpedaled somewhat in a late-September update of the "security incident."
The company stated that a minority of customers may have had highly sensitive personal data exposed, pledging that those customers had already been contacted: "... The cybercriminal may have accessed some unencrypted fields intended for bank account information, social security numbers, usernames and/or passwords. In most cases, fields intended for sensitive information were encrypted and not accessible. These new findings do not apply to all customers who were involved in the incident."
The MSU Foundation in a message posted on the university website stated that it would not be possible for the attack to have accessed the sort of highly private data that can be used in identity theft on MSU-related individuals, simply because that information was not stored with Blackbaud.
"Therefore, we can confirm that your Social Security number, credit card or bank account information were not breached," the MSU Foundation message stated.
HealthITSecurity.com reported in September that the Blackbaud cyberattack affected more than six million people ranging from hospital patients to Harvard University donors. The infiltration started in February and wasn't discovered until May. At least 10 class-action lawsuits have been filed on behalf of victims alleging the company failed both in its duty to protect private data and to notify people in a timely manner that their data had been compromised.
Commented
Sorry, there are no recent results for popular commented articles.