Dear Alumni & Friends,

Report of a Data Security Incident

I am writing to notify you of a data security incident that has affected one of the University’s third party service providers, Blackbaud, which provides cloud computing software used for processing some of your personal data.

We recognise that this is unsettling news and we sincerely apologise that this has happened, but rest assured that Blackbaud have taken steps to mitigate this incident and any risks to your information. The University is following up with internal investigations and remedial actions of its own. However, we advise that you be vigilant to potential phishing communications and requests to provide information.

Blackbaud has been a respected provider of Education and Third Sector relationship management systems for more than two decades and is engaged by institutions globally. We understand that in May this year Blackbaud discovered the incident and took measures to deal with it. In response to the attack a detailed forensic investigation was undertaken, on behalf of Blackbaud, by law enforcement and contracted external cyber security consultants. Blackbaud has reported that the data taken by the attacker, which included your details, was subsequently confirmed as deleted by the attacker as part of Blackbaud’s negotiations. They also have measures in place to continue to scan for any suspicious activity which may follow on from this event and verify the quality of strengthened security systems now in place to prevent future attacks.

The Blackbaud platform which was impacted is used by Edinburgh Napier University to communicate by email with Alumni and Friends. Your data that was affected includes name, email address, update details, gift history and attendance at university events.

Blackbaud confirmed in its statement to Edinburgh Napier University that no credit card information or bank account details were accessed.

Edinburgh Napier University’s priority remains the relationship with the members of our Alumni and Friends community, and the protection of their information. As soon as we were notified, we reported the breach to the Information Commissioner’s Office (ICO) and began to seek details from Blackbaud to identify if your data record was included in the incident. We continue to investigate, but we felt it was important to be transparent with you as to what happened. Given Blackbaud’s assurances, we have every reason to believe that the risk to your data is low and we have no reason to believe that individual data records were targeted. We are therefore advising you of what happened as a precautionary measure.

We deeply regret any worry and inconvenience that this data breach by Blackbaud may have caused you and hope that the mitigating actions Blackbaud reports provide reassurance. However, it is still advised that you remain vigilant for any unusual communications or requests you may receive. Information about Phishing, protecting yourself and reporting unusual activity can be found here: https://www.gov.uk/report-suspicious-emails-websites-phishing.

We take data protection very seriously and we are grateful for your understanding, continued support and engagement.

If you wish to discuss this further or require more information, please contact me at alumni@napier.ac.uk. We will also publish updates on our website if we become aware of further important information here : https://napier.ac.uk/alumni/alumni-news/latest-news/Blackbaud-data-security-incident.