Cyber Incident Victim: University of North Carolina System
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack targeted a third-party service provider supporting the University of North Carolina System, compromising a subset of constituent data that potentially included names, contact details, philanthropic interests, educational history, and other publicly available personal information. The attackers accessed self-hosted data but did not obtain encrypted sensitive elements such as Social Security numbers or financial account details. The provider paid the ransom and received assurances the stolen data was destroyed, while the affected institutions collaborated to assess impacts and strengthen vendor security practices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, Blackbaud—a service provider for the University of North Carolina System Office—experienced a ransomware attack targeting its self-hosted data environment. The intrusion was detected and contained by Blackbaud, who expelled the attackers, but not before they removed a copy of a subset of constituent information. The UNC System was formally notified of the breach on July 16, 2020. According to Blackbaud’s disclosure, the compromised data potentially included publicly available details such as names, titles, dates of birth, and spouse information; contact details like phone numbers and email addresses; philanthropic interests, giving capacity, and donation history; and educational attainment records. Blackbaud clarified that encrypted fields—including Social Security numbers, bank account details, and payment card information—remained unreadable due to encryption. The company paid the ransom demand to prevent further exposure of the stolen data and received assurances from the attackers that the copied information had been destroyed. Blackbaud also committed to monitoring dark web channels for any signs of the exfiltrated data resurfacing.
Multiple UNC System institutions utilizing Blackbaud’s services were impacted by the incident, though the extent varied across campuses. Each affected institution initiated independent assessments to determine the scope of data exposure specific to their constituents. The UNC System Office coordinated with Blackbaud to reinforce security protocols and prevent recurrence, while also collaborating with peer institutions to address broader concerns regarding third-party vendor security practices. System-wide actions included evaluating operational and communication channels to mitigate risks from the breach. Affected individuals were directed to contact institutional representatives for case-specific inquiries, with Blake MacIver designated as the UNC System’s primary contact for questions. No evidence emerged suggesting misuse of the stolen data, and Blackbaud’s confirmation that sensitive financial identifiers remained encrypted limited immediate financial risks to individuals. The UNC System reiterated its commitment to information security but acknowledged the disruption caused by the incident.