Cyber Incident Victim: New Mexico State University Foundation

In late June 2020, New Mexico State University Foundation personnel detected unusual network activity, prompting immediate engagement with law enforcement and the removal of an unspecified number of devices from the network. A forensic investigation commenced to assess potential compromises. Financial institutions managing foundation accounts confirmed no unauthorized attempts to access funds or sensitive financial data during this incident. Separately, in July 2020, the foundation disclosed a prior cybersecurity incident involving Blackbaud, a cloud-based database service provider, which had suffered a ransomware attack in May 2020. The university indicated this earlier event might have enabled unauthorized access to information stored on Blackbaud’s systems.

Investigations into both incidents concluded no evidence of data exfiltration, misuse of personal information, or compromise of credit card details, bank account data, Social Security numbers, or personally identifiable information. The foundation attributed this outcome to the absence of such sensitive data on the affected devices and within the Blackbaud-managed databases. In response, the foundation contracted an unspecified data security firm to strengthen cybersecurity measures, including employee training revisions, security protocol compliance testing, and policy reviews. It implemented donor communication safeguards, prohibiting email requests for financial information or instructions, instead directing credit card payments through secure portals or phone channels and mandating mailed notifications for address or fund transfer changes postmarked from Las Cruces. The foundation advised donors to verify suspicious emails directly with the organization rather than interacting with links or providing data.