Bemidji State University has learned of a ransomware attack of its donor management software vendor, Blackbaud, which may have allowed access by an unauthorized individual to not-public data on students, alumni, and employees. Much of the data stored by Blackbaud is considered directory information under the Family Educational Rights and Privacy Act (FERPA) and is therefore public data under Minnesota law. However, Bemidji State University disclosed some not public data to the BSU Alumni & Foundation and those data elements were stored by Blackbaud and accessible in the attack. Such information may have included contact information, dates of birth, demographic data, philanthropic interests, and donation history. Blackbaud asserts that the attacker did not access credit card information; any bank account information or social security numbers were encrypted and not accessible to the attacker. For a full report contact Bemidji State University at DataNotice@bemidjistate.edu.
The following email message was sent to affected individuals on Friday, December 18, 2020.
Important Notice Regarding Disclosure of Private Information
Bemidji State University takes seriously its responsibility to protect private information about the individuals in our community. We are writing to inform you of a concern about the unauthorized access of your private information through a breach of a cloud-service vendor, Blackbaud. We believe the incident has been resolved, and no action is required on your part.
In July 2020, Bemidji State University Alumni & Foundation (the Foundation) and Bemidji State University (the University) learned that an attacker had breached data contained in Blackbaud, a cloud service the Foundation uses for fundraising purposes. The Foundation is a private 501(c)(3), nonprofit organization dedicated to securing private gifts and grants for the benefit the University. The Foundation contracts with the University to provide services and staff to the Foundation.
As a result of this attack, an unidentified individual may have obtained some personally identifying information stored on Blackbaud’s servers, including information about students, staff, and alumni of the University and donors to the Foundation. Private data about you may have been included in this incident. In order to protect this data, Blackbaud paid the attacker’s demand and received confirmation that the data the attacker copied had been destroyed, although the University is not able to independently verify this has occurred.
Much of the data stored by Blackbaud is classified by the University as either “Directory Information” (such as name, field of study, and dates of attendance) or “Limited Directory Information” (such as mailing address or email address) pursuant to the college or university’s annual Family Educational Rights and Privacy Act (FERPA) notice and is therefore public data under Minnesota law. Additional not-public data that may have been accessed included demographic data, philanthropic interests, and donation history collected by the Foundation. Blackbaud asserts that the attacker did not access credit card information; any bank account information or social security numbers were encrypted and not accessible to the attacker.
As part of its investigation into the Blackbaud data breach, the University also learned that it had provided information about you to the Foundation that was not Directory Information or Limited Directory Information and should not have been disclosed without your consent or without notice to you. Data about you provided to the Foundation may have included your SSN, Gender, Ethnicity, and Date of Birth. This information may also have been part of the data obtained by the Blackbaud attacker.
Bemidji State University has been investigating this incident as required by law. Upon completion of our investigation, you have the right under Minnesota law to receive a report on the facts and details of the investigation, including any employee discipline (if applicable). If you would like a copy of the report, please contact President Faith C. Hensrud at DataNotice@bemidjistate.edu by January 31, 2021, to request delivery of the report by email. In addition, the University will be revising its annual FERPA notice to make clearer what data is provided to the Foundation and provide all students with the ability to opt out of that data sharing, as required by law.
Bemidji State University deeply regrets that this occurred and apologizes for the uneasiness and inconvenience this may cause you. If you have further questions related to this incident, please contact: President Faith C. Hensrud at DataNotice@bemidjistate.edu.
We will keep you informed of any additional developments that may be relevant to you.
Faith C. Hensrud, Ed.D.
Bemidji State University & Northwest Technical College
1500 Birchmont Drive NE, #3
Bemidji, MN 56601