Cyber Incident Victim: Harvard University
Date:
May 2020
Location:
United States of America
Summary
A cybersecurity incident involving a third-party software provider used for fundraising exposed demographic and philanthropic engagement data of Harvard affiliates in the United States, including names, addresses, employment information, and birthdates. The breach occurred when attackers attempted to lock the provider’s systems for ransom, successfully exfiltrating a copy of client data before the company paid to ensure its destruction; no financial data or sensitive identifiers like Social Security numbers were compromised as the institution had not shared such information with the vendor. The event also affected other organizations, including Boston University and local religious institutions, with some advising no immediate action was necessary for impacted individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, Blackbaud—a software provider used by Harvard University for fundraising and donor engagement since 2006—experienced a ransomware attack in which cybercriminals attempted to lock the company out of its own servers. The attackers successfully extracted a copy of client data before Blackbaud halted the breach. Harvard Alumni Affairs and Development notified affected affiliates via email on August 12, 2020, revealing the breach potentially exposed U.S.-based individuals’ demographic information, including names, addresses, employment details, birthdates, and philanthropic engagement records. The University clarified that no high-risk data—such as Social Security numbers, bank account details, or credit card information—was stored with Blackbaud and therefore remained uncompromised. Blackbaud confirmed it paid the ransom after receiving assurances from the attacker that the stolen data copy had been destroyed, though the company did not disclose the payment amount or provide independent verification of the data’s deletion. Harvard first learned of the incident in July 2020, nearly two months after Blackbaud discovered the breach.
The incident impacted multiple Harvard-affiliated entities, including St. Paul’s Parish and the Harvard Catholic Center, whose members received a separate notification from Reverend William T. Kelly on August 12. Kelly advised parishioners that no immediate action was necessary. External organizations linked to Blackbaud, such as Boston University and WBUR, were also affected. Harvard’s email emphasized ongoing collaboration with Blackbaud to assess the breach’s scope but did not specify whether legal or regulatory reviews would occur. Neither Harvard nor Blackbaud provided additional public statements in response to media inquiries following the disclosures. The breach highlighted risks associated with third-party vendor management, particularly for institutions relying on external platforms to process constituent data spanning over 14 years.