The foundation was notified by Blackbaud – a software service provider used by itself and the Old Elizabethan Association until 2018 – in October of the data security incident, which resulted from a ransomware attack on its system in May.
The college had terminated its relationship with Blackbaud in 2018 and had understood that the foundation’s data would be deleted. However, it was informed that due to ‘breakdowns in their decommissioning procedures this was not done’.
It affects around 6,000 alumni, parents and extended network whose information, including details such as name, address and telephone number, as well as education information of dates when they attended and college numbers, was stored with the software company.
No financial data, such as credit cardholder data or bank account information, was held on the database and no usernames or passwords were accessed.
The foundation is also separate from the college itself, therefore no college reports have been affected.
Dot Carruthers, the foundation’s director, said although they had been assured by Blackbaud the issue had now been resolved and that the data was secure, they had taken appropriate action, including reporting the breach to the Office of the Data Protection Authority in Guernsey and conducting an internal data audit to determine who had been affected.
‘Elizabeth College Foundation takes data security very seriously and are taking all necessary steps to review and respond to this incident, including notifying those individuals who may have been affected,’ she said.
‘We understand a significant number of institutions across the world have also been affected, including many UK universities, schools and national charities.
‘Blackbaud’s cyber security team worked with forensics experts and law enforcement agencies to expel the cybercriminal from its systems and fix the vulnerability they had used to access the data.
‘Blackbaud has assured us that they do not believe the data has been shared or misused.’
Mrs Carruthers asked people to still remain aware of potential data misuse.
‘Whilst we have received assurances from Blackbaud that they have no reason to believe that any personal information was or will be misused, disseminated or otherwise made publicly available, nonetheless we encourage all members of our community to remain wary of any unexpected communications and continue to be cautious of any suspicious emails, letters, or phone calls,’ she said.
‘Any suspicious activity should be reported to the proper law enforcement authorities.
‘We value greatly the support of all our alumni, parents and friends of the college.
‘Whilst we could not have foreseen this incident occurring two years after ending our relationship with Blackbaud, nonetheless we sincerely regret any concern or inconvenience that this incident may cause.’
The hack lasted from 7 February until it was discovered by Blackbaud on 20 May and was first disclosed to the public in July. The firm said it had paid the hackers a ransom and believed the thieves had subsequently destroyed the stolen data.
Overall, it affects millions of people and several of the worldwide breach victims have filed lawsuits against the vendor.