July 28, 2020
Dear KES Community:
We are writing to let you know about a data security incident that may have involved your personal information. King’s-Edgehill School takes the protection and proper use of your information very seriously. We are therefore contacting you to explain the incident and provide you with steps you can take to protect yourself.
We were recently notified by our third-party service provider-Blackbaud, one of the world’s largest customer relationship management (CRM) providers, of a ransomware attack that impacted many of its clients around the world, including King's-Edgehill School. At this time, we understand it discovered and stopped the ransomware attack and Blackbaud's Cyber Security team—together with independent forensics experts and law enforcement— successfully prevented the cybercriminal from blocking system access and fully encrypting files; and ultimately expelled the cybercriminals from its system. Prior to locking the cybercriminal out, the cybercriminal removed a copy of our backup file possibly containing some of your personal information. This occurred at some point beginning on February 7, 2020 and the cybercriminal could have been in the system intermittently until May 20, 2020.
What Information Was Involved:
It’s important to note that the cybercriminal did not access your credit card information, bank account information, or social insurance/security number. However, the file removed may have contained a backup copy of our constituent data in our development/fund raising platform. Because protecting customers’ data is top priority, Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, the research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What We Are Doing:
We are notifying you so that you can take action to protect yourself. Ensuring the safety of our constituents’ data is of the utmost importance to us. As part of Blackbaud’s ongoing efforts to help prevent something like this from happening in the future, it has already implemented several changes that will protect your data from any subsequent incidents. First, their team was able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it. We have confirmed through testing by multiple third parties, including the appropriate platform vendors, that Blackbaud’s fix withstands all known attack tactics. Additionally, Blackbaud is accelerating efforts to further harden its environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What You Can Do:
As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper law enforcement authorities.
For More Information:
We sincerely apologize for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to contact Derek Parker at 902-798-2278 or at firstname.lastname@example.org.
Sincerely, Joe Seagram Headmaster of King’s-Edgehill School
KES inspires academic, athletic and artistic excellence with a commitment to the traditional community ideals of gentleness and learning, dignity and respect, so that students may discover and cultivate their unique potential, prepare for post-secondary education and develop a life-long enthusiasm for the spiritual and intellectual growth necessary to flourish in the contemporary world.