Statement on Blackbaud Data Breach

August 10, 2020

On July 16, 2020, George Washington University (GW) received notification of a security incident that took place at Blackbaud, a vendor who provides services for some of our donor databases and maintains data we provide with respect to those services. Blackbaud informed us that it had identified and prevented a ransomware attack across several Blackbaud clients; however, prior to the attempted attack, the attacker had copied a subset of back-up files sometime between February 7, 2020, and May 20, 2020, and held that for ransom. Blackbaud paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.

Upon receiving notice of the incident from Blackbaud, GW teams commenced our own investigation to confirm what information was present in the data files involved in the incident. Our review has confirmed that this limited scope of data files primarily contained name and home address information for some of our U.S.-based donors and, on occasion, other information such as birthday, spouse name, employer, and on very rare occasion last and largest gift amount and date, total giving, and number of gifts of some of our donors. While GW’s file did not include sensitive data such as credit card information, bank account information, and social security numbers, Blackbaud has informed us that such sensitive data are encrypted.

We are providing notice of this incident because we take the security of the information we maintain very seriously and wanted to let our community know that this incident occurred. We sincerely regret any inconvenience this incident may cause. Should there be any further questions or concerns regarding this matter, please do not hesitate to contact Gail Ferris ([email protected], 202-994-8954) or the Office of Ethics, Compliance & Privacy ([email protected]).