As disclosed to our community on September 25, 2020, a vendor recently notified Vianney of a data security incident. Please know Vianney takes the protection and proper use of your information very seriously. We greatly value all of our community members’ support of Vianney, respect your privacy, and work hard to keep your trust. We are sharing this information about the security incident as part of our commitment to accountability and transparency.
You may access a full notification from Blackbaud concerning the situation at https://www.blackbaud.com/securityincident. The following is a summary:
Blackbaud—a highly regarded cloud-computing provider that serves many non-profit institutions—experienced a ransomware attack and recently informed Vianney that it was one of many institutions, including other local schools, potentially affected.
After discovering the attack, Blackbaud’s Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking their system access and fully encrypting files; and removed them from their system. However, the cybercriminal had already copied and taken some backup files that may have contained some individuals’ personal information. For additional information regarding this incident please visit https://www.blackbaud.com/securityincident.
What Information Was Involved:
Blackbaud assures us that no credit card information, financial account information, user names or passwords within our database was accessed or compromised by the cybercriminal. However, Blackbaud has determined that they removed back-up files containing fields with other data. On September 29, 2020 Blackbaud also discovered some of their clients had compromised social security numbers. Fortunately, Vianney was not among those Blackbaud clients with any general exposure to this problem. We have learned, however, that a legacy file with SSN information concerning former referees, may have been accessible.
Blackbaud paid the cybercriminal’s ransomware demand and secured confirmation that the back-up copy they removed had been destroyed.
Based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud says it has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
Blackbaud is monitoring the situation and indicates there is no evidence anyone’s personal information has appeared on the dark web or been misused. Nevertheless, Blackbaud is offering some identity theft and fraud protection to those affected.
Blackbaud has stated it has implemented several changes that will protect clients’ data from any subsequent incidents. Its teams identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and fixed it. They have confirmed through testing by multiple third parties and platform vendors, that their fix withstands all known attack tactics. Additionally, they are accelerating steps to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms.
What We Are Doing:
Fortunately, this security incident did not involve an attack on Vianney’s internal network or systems or expose any vulnerability at Vianney. Vianney continues to invest in extensive measures to protect all confidential data it maintains. Vianney has investigated this incident and identified those limited files and individuals’ data that the ransomware criminals possibly could access. Vianney remains in direct contact with Blackbaud and is monitoring the situation for any further developments. Further, Vianney is making notification and communicating the Blackbaud situation directly to potentially affected persons.
What You Can Do:
We do not believe it is necessary for you to take any further action at this time. As always, we recommend you remain vigilant and watch for any unusual activity related to your personal information or unsolicited fundraising solicitations. Promptly report any suspicious activity to the proper law enforcement authorities and check out any discrepancies in your credit or account information with Equifax, TransUnion, and Experian.
As noted above, Blackbaud is offering certain services for those individuals connected to any exposed data. If your data was exposed, you will likely receive a notification by email or mail from us. If you formerly served as a referee for our sporting events and do not hear from us, please contact the school office.
Your relationship with Vianney is of utmost importance to us. We are working regularly with Blackbaud regarding this incident and will be monitoring the situation carefully.
Please accept our sincere apologies for any inconvenience this may have caused you.