A cybercriminal acquired MU alumni and donor cloud data services in a cybersecurity incident in May, according to an email from Vice Chancellor for Advancement Jackie Lewis.
Blackbaud, the third-party company storing the data, alerted MU in late July. The breach affected a number of higher education institutions and other organizations, and Blackbaud ended up paying a ransom to ensure the data was destroyed.
The cybercriminal could have obtained public information about MU alumni and donors including names, date of births, contact information, degree information and MU giving history.
The information acquired did not include credit card information, bank account information or social security numbers, according to the email. MU does not keep a record with Blackbaud of this information.
After notification from Blackbaud of the cybersecurity incident, MU began investigating its extent. Blackbaud had also investigated and reported that the cybercriminal acquired backup files, attempted to encrypt them and demanded a ransom. Blackbaud received confirmation that the files had been "removed and destroyed" after paying the ransom, according to the email.
Blackbaud reports on its website that it has "no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."
MU is continuing to work with Blackbaud about data handling and security practices. The email contained Blackbaud's assurance that it has “identified and fixed the vulnerability associated with this incident” and begun additional data protection measures.
"We are committed to transparency and the protection of the personal data that we maintain," Lewis wrote in the email. "We want you to be aware of the incident, but no additional action is needed."
MU sent the email "out of an abundance of caution." Questions should be directed to email@example.com or 877-738-4546.