As a member of the Oregon Tech community, we value our relationship with you and take your privacy seriously. We wanted to inform you that the Oregon Tech Foundation was recently notified by Blackbaud, our third-party engagement and fundraising software service provider, that we were one of numerous nonprofits that were affected by a data security breach that involved some of your personal information. We are notifying you to explain what happened and provide you with steps that you can take to safeguard your personal information. This incident did not involve access to any payment card data, bank account information, or social security numbers.
The incident
On July 16, 2020, Blackbaud notified us of a data security incident, specifically a ransomware attack. In a ransomware attack, a criminal attempts to disrupt an organization by locking the organization out of its data and servers. Blackbaud has also informed us that its cyber security team, independent forensics experts, and law enforcement prevented the criminal from blocking system access and fully encrypting files and expelled the criminal from its system. Before being removed from the system, the criminal removed a copy of some data. Blackbaud’s explanation of what occurred can be found at https://www.blackbaud.com/securityincident.
Blackbaud has indicated that the incident occurred from February 7, 2020, through May 20, 2020, affecting nonprofit organizations across the nation. Although system access and full encryption of the files was prevented by Blackbaud’s cybersecurity team, a backup file containing personal information was removed.
Information involved
The file might have contained information pertaining to your relationship with Oregon Tech Foundation, including your name, address, date of birth, contact information, email address, gender, spouse’s name, giving history, participation in our efforts, demographic information, and other information that you have provided to us. However, Blackbaud has confirmed that the criminal did not access the following encrypted information:
- credit card information,
- social security numbers,
- bank account information, and
- usernames or passwords.
Blackbaud’s response
Blackbaud has informed us that it:
- Paid the cybercriminal a ransom to ensure that the copy was destroyed;
- Has no reason to believe that any data was or will be misused, disseminated, or made public;
- Identified and eliminated the associated vulnerability that was at issue in this incident; and
- Hired its own cybersecurity team to continue monitoring for this type of criminal activity.
In addition, Blackbaud has promised to accelerate its efforts to further strengthen its security controls.
What you can do
You should immediately report any suspicious activity or suspected identity theft to your financial institutions and law enforcement authorities, including your state attorney general and Federal Trade Commission.
You should remain vigilant by reviewing account statements and monitoring credit reports. You also are entitled every 12 months to one free copy of your credit report from each of the three major credit reporting companies. To obtain a free annual credit report, go to www.annualcreditreport.com or call 1-877-322-8228. You can also contact one of the following three national credit reporting agencies:
Equifax P.O. Box 105851 Atlanta, GA 30348 1-800-525-6285 |
Experian P.O. Box 9532 Allen, TX 75013 1-888-397-3742 www.experian.com |
TransUnion P.O. Box 1000 Chester, PA 19016 1-877-322-8228 www.transunion.com |
You might consider placing a fraud alert on your credit file, the first of which is free and will stay on your credit file for at least one year. Doing so notifies creditors of possible fraudulent activity within your report and requests that the creditor contact you before establishing any accounts in your name. You can place a fraud alert on your credit report by contacting any of the three credit reporting agencies identified above.
Some states permit you to place a security freeze on your credit file, which will prevent credit from being opened in your name without a personal identification number that is issued to you when you initiate the freeze. There is no fee for doing so.
For more information
We sincerely regret this incident and any inconvenience that this might cause you. If you have any questions or concerns regarding this matter, contact Krista Darrah, Interim Executive Director, at 541-885-1134 or krista.darrah@oit.edu.