A cyberattack on software provider Blackbaud has resulted in the theft of customer data from California State University – Northridge.
Blackbaud notified its clients July 16 that between February and May, hackers breached its network. No ransomware was installed but the hackers did steal some data from the company’s customer servers. Based in Charleston, S.C., Blackbaud provides cloud hosting and customer management solutions for CSUN and other universities in the CSU system.
On Friday, CSUN issued a letter to staff and students notifying them of the school’s involvement in the hack.
Also victimized were dozens of higher education institutions in the UK and nonprofits across the world.
Blackbaud said in a statement that while the hackers did not successfully install ransomware or encrypt files, they were able to steal a subset of data from the company’s self-hosted environment where clients save files. The company did not reveal the exact nature of the stolen data, but said it did not include credit card information, bank account information, or Social Security numbers. It paid a ransom demand so the hackers would delete the stolen data.
“We paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said in a statement. “Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
In its letter to students, CSUN conceded it “has no way to independently verify that the stolen data was deleted.”
In an email to the Business Journal, CSUN Director of Media Relations Carmen Chandler said, “The CSU system is in discussion with Blackbaud to better understand their timeline for notification, what data was potentially exposed, and what improvements they are making to their security protocols to ensure this does not happen again.”