This webpage provides up to date information on a data breach affecting alumni. If you have been directly affected, you will have received an email from us outlining further details. The information on this page will be updated as we understand more about the data breach. If you have any concerns, please contact us at [email protected].
What happened
On 16 July 2020, we were notified by Blackbaud, a third-party service provider, that they had experienced a criminal ransomware attack. During this incident, a subset of their data was removed from their systems. A number of institutions in the UK and globally have been affected and we have been informed that Blackbaud identified that this included data relating to LSHTM alumni.
Blackbaud is one of the world’s largest providers of database management systems for higher education, charities, the arts and other not-for-profit organisations. LSHTM uses Blackbaud systems to manage its alumni relations and fundraising programmes. After our own investigation, we have identified what data held in our systems was part of this data breach. This webpage is intended to outline what we know so far and to keep you updated as we learn more.
What information was involved
Alumni Online Community
The investigation we have undertaken indicates that the file contained information on those who are registered members of LSHTM’s alumni community. The data may include your name, contact information (e.g. email, telephone number and postal address), demographic information (e.g. gender, date of birth) details of your degree at LSHTM (subject of study, year of graduation) and career details (e.g. basic employment information) you may have given us.
Blackbaud have advised us that information such as the password you created for your account were encrypted.
Event attendees
If you are not a registered member of the online alumni community, but have signed up for or attended an event, data may include that which you provided at the time of registration, such as your name, email address, date of birth, educational and employment details (job title and employer).
Mailing lists
If you are not a registered member of the online alumni community, but receive emails from us, data may include your name and email address.
No financial data was part of the breach and absolutely no credit card information, bank details or donation history was accessible at any time.
We currently believe the risk attached to this incident is likely to be low, based on our own internal investigations and the steps taken by Blackbaud to date. You can read details of their response on their website.
What LSHTM is doing
We are notifying you so that you are aware of this breach of Blackbaud’s systems and can remain vigilant. We take our data protection responsibilities very seriously and have immediately launched our own investigation. We are continuing to investigate this matter, working with Blackbaud, with a view to continually monitor the risk to individuals.
A detailed forensic investigation has been undertaken, on behalf of Blackbaud, by law enforcement and third-party cybersecurity experts.
We have been informed that in order to protect client data and mitigate potential identity theft, Blackbaud met the cybercriminal’s ransomware demand. Blackbaud has advised us that it paid a ransom and received assurances from the cybercriminal that the data had been destroyed.
Blackbaud has informed the Information Commissioner’s Office (ICO) about the breach. LSHTM has also informed the ICO.
We are aware that Blackbaud has already implemented several changes that will help protect data from any subsequent incidents, including identifying the vulnerability associated with this incident, including the tactics used by the cybercriminal, and taking swift action to fix it.
LSHTM has also taken the decision to move away from the particular system that was affected by the data breach. Information on a replacement platform for alumni engagement will be announced in the coming weeks.
What you can do
No action is required from you at this time. However, we recommend you remain vigilant and promptly report any suspicious activity or suspected identity theft to us and to the proper enforcement authorities. If you have any concerns, you can contact us by emailing [email protected].
If we need to contact you again on this matter, we will only use this e-mail address. If you receive any information or requests about this incident purporting to be from LSHTM, but from a different e-mail address to that given above, please inform us immediately and we recommend that you exercise due caution and do not respond to any suspicious e-mails.
If you are a registered Alumni Online user, out of an abundance of caution, you may wish to update your password on Alumni Online and any other websites where you may have used the same password.
Further information
The security of your information is of utmost importance to us, and we sincerely apologise and regret if this incident causes you any inconvenience. We are actively working with Blackbaud to investigate the matter further. We will be keeping our website up to date if there are further developments on this issue.
Please be assured that we take data protection very seriously and we are grateful for our community’s continued support and engagement.
Should you have any further questions or concerns regarding this matter or the protections available to you, please do not hesitate to contact us at [email protected].