NOTICE OF DATA BREACH

We were recently notified by our third party database service provider, Blackbaud Inc., of a data security incident on their systems. This incident may have involved a limited amount of your personal information, and while we have received assurances that your data was not and will not be misused, we are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant.

What Happened?

Blackbaud are one of the world’s largest providers of customer relationship management systems for not-for-profit organisations and the Higher Education sector. NUI Galway uses this third party system to record engagement with members of the University community, including alumni and extended networks and supporters. At this time, we understand Blackbaud discovered and stopped a ransomware attack. This incident has affected several universities and other Blackbaud not-for-profit clients internationally.

After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and ultimately expelled them from the system. However, before being locked out, the cybercriminal removed a copy of a backup file containing personal information including a subset of NUI Galway data.

What Information Was Involved?

It’s important to note that the cybercriminal did not access credit card information or bank account information. Student data was not involved.

However, Blackbaud has determined that the file removed may have contained names; contact information including telephone numbers, email addresses, and mailing addresses; and a history of our alumni and supporters relationships with our organisation up to that point.

Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, their research, and a third party (including law enforcement) investigation, Blackbaud do not believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly and are continuing to monitor this. NUI Galway was not party to the decision to make this payment and only became aware of this payment after it had occurred.

What We Are Doing

We have immediately launched our own investigation and have taken the following steps:

  • We promptly informed the Data Protection Commission of the data security incident and are continuing to work closely with the commission on this matter;
  • We are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant;
  • We will continue to work with Blackbaud to investigate this matter, and we continue to take advice from our Data Protection Officer and IT security team;
  • We are reviewing our relationships with the third party service provider.

What You Can Do

We have been assured that no credit card, bank account, or other sensitive information of that nature was compromised, however as best practice we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper law enforcement authorities.

For More Information

NUI Galway takes the protection and proper use of information pertaining to our alumni and supporters very seriously, as detailed in our data privacy statement https://www.nuigalway.ie/alumni-friends/updateyourdetails/dataprivacystatement/.

We sincerely apologise for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact us at blackbaud-incident@nuigalway.ie or call us at 091 495497.