Dear Newark Academy Community Members,
Newark Academy, and those of us who serve NA, value our relationship with you and take seriously our responsibility to protect the personal information that you share with us. With that in mind, we are writing to let you know that Newark Academy was recently informed by Blackbaud, one of NA’s cloud-based data management providers, that it discovered and intercepted a ransomware attack in May 2020. This cyberattack involved files that Blackbaud manages for Newark Academy’s Office of Institutional Advancement.
What is Blackbaud?
Blackbaud is the global industry leader in providing fundraising and constituent engagement data management for nonprofit organizations. It is widely considered the industry standard and, as such, has thousands of educational clients, both in independent school and in higher education. Further, Blackbaud serves many national nonprofit organizations, including the American Red Cross, and a large number of non-governmental organizations around the world. Due to its industry dominance, Blackbaud reports that it thwarts more than a million cyberattack attempts each year.
In May 2020, Blackbaud discovered and stopped a ransomware attack. In a ransomware attack, cybercriminals attempt to disrupt a company by locking that company out of its own data and servers. Upon discovering the attack, Blackbaud’s cybersecurity team — along with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking access and fully encrypting files; and ultimately expelled the attacker from the Blackbaud system. Prior to being locked out, the cybercriminal removed a subset of data stored by Blackbaud.
What data was affected?
Included in the Blackbaud data subset that was attacked were names, addresses, telephone numbers and giving history from Newark Academy’s Institutional Advancement database. The cybercriminal was unsuccessful in obtaining anything beyond contact information and giving history. Encrypted information held in Newark Academy’s data files, including credit card and banking information, usernames and passwords, and dates of birth remained secure and were not obtained in this attack. Newark Academy does not hold social security numbers in its fundraising/constituent engagement database. This incident did not involve our enrollment database or student information system (My NA).
Upon receiving notification from Blackbaud, Assistant Head of School Lisa Grider and Director of Technology David Kapferer, along with other members of the Advancement team conducted a review of our constituent records to ensure integrity.
What happened to the data?
Blackbaud, in conjunction with cybersecurity consultants and law enforcement agencies, including the FBI, agreed to pay the ransom demanded by the cybercriminal and received confirmation that the stolen data had been destroyed. Based on the nature of the incident, our research, and third-party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
What measures has Blackbaud taken to increase security?
As part of its ongoing efforts to help prevent or thwart future attacks, Blackbaud informed Newark Academy of several additional measures that have been implemented to protect your data. Through testing by multiple third-parties, including the appropriate platform vendors, Blackbaud has informed Newark Academy that the vulnerability that enabled the cybercriminal to access the information was remedied in order to withstand any future attacks of this nature. If you wish to learn more about this security breach and security measures, please contact Blackbaud at 1-855-907-2099 between 9 a.m. and 9 p.m. ET Monday – Friday.
What measures is Newark Academy taking to increase security?
Newark Academy is one of many schools, colleges, universities and nonprofit organizations impacted by this breach in data security. The Blackbaud product used by Newark Academy's Office of Institutional Advancement resides on a Blackbaud cloud server (not on one of the school's on-premise servers, which are also vulnerable to cyberattacks). Used daily by members of the Advancement Office, the Blackbaud data management platform requires two-factor authentication each time a member of our staff accesses the system and terminates that access within minutes of each login.
NA is joining with a number of independent school groups demanding that Blackbaud remedy any deficiencies in its data control system through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms.
What can you do?
As a best practice in cybersecurity, Newark Academy community members are encouraged to remain vigilant in monitoring online identity and accounts. According to the United States Department of Justice, “internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime.”
Unfortunately, security breaches and attacks (also called “hacks”) are regular aspects of life in the 21st century. Please know that Newark Academy will continue to engage only with those external partners that can provide the highest level of protection for your ongoing engagement with our community.
Assistant Head of School for External Affairs
Director of Technology